Fiat Ramps Unlocked: Practical Tips for Banks and Crypto Firms

Print Friendly, PDF & Email

Ask any centralized cryptocurrency firm to name one of their biggest priorities or challenges—and then count the number of times they mention bank partnerships. For crypto firms, the loss of, or failure to acquire, a bank partnership poses an existential threat, undermining the firm’s ability to exchange fiat (traditional currency) for cryptocurrency, and vice versa, in a process colloquially referred to as “on- and off-ramping.” While the cryptocurrency industry is indeed disrupting the future of finance, today the business models of most popular crypto exchanges, payment processors, and stablecoin issuers remain heavily dependent on traditional financial services to support everything from treasury and reserve management, payroll and accounting operations, and perhaps most important of all, the provision of so-called fiat payment rails to support crypto-fiat exchange. Unfortunately for many cryptocurrency firms, the past couple of years have been especially challenging for stability in the bank partner landscape.

Securing a bank partnership has never been a frictionless process for cryptocurrency firms—often requiring extensive due diligence by prospective partner banks in order to get comfortable with an industry notoriously considered to be “novel,” “high risk,” “volatile,” and “complex.” Many traditional financial institutions (TradFis), especially large, systemically important banks that weathered previous enforcement actions, have historically expressed a low appetite for serving cryptocurrency businesses, resulting in a limited pool of potential bank partners. This opened the aperture for small and mid-sized domestic banks to serve an industry faced with exponentially increasing transaction volumes. And for a time, the model was working, though the incumbent banks serving the sector struggled to keep up with demand from prospective customers as crypto prices soared during the 2021 crypto bull run. In its heyday, the leading “crypto” banking-as-a-service (BaaS) provider, Silvergate Bank, estimated that it processed $1 trillion on its real-time payment network, with deposits peaking at $14 billion at the height of the 2021 bull run, largely attributable to Silvergate’s crypto customer base,[1] until it all came crashing down in 2022. A confluence of events, likely precipitated by the fall of popular stablecoin Terra Luna, ushered in a crypto winter so chilling that it resulted in the demise of several leading cryptocurrency exchanges, brokerages, and lenders, leading to the fall of several tech-friendly banks in 2022 that historically served the sector.

Adding insult to injury, the formerly crypto-friendly Office of the Comptroller of the Currency (OCC) issued a joint statement in partnership with the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation (FDIC) in the wake of these unfortunate events, highlighting the key risks to banks of engaging with the crypto industry, going so far as to proclaim that “issuing or holding as principal crypto-assets . . . is highly likely to be inconsistent with safe and sound banking practices”[2] and expressing “significant safety and soundness concerns with business models that . . . have concentrated exposures to the crypto-asset sector.”[3] The joint statement had a chilling effect on the provision of banking services to the cryptocurrency industry, as banks feared running afoul of their regulators, leaving the remaining crypto industry participants scrambling to find relationships with a limited pool of partners and sacrificing much-needed functionality, like Automated Clearing House (ACH) access for cheaper transactions.

But with a new crypto-forward U.S. administration taking office, many are anticipating that the barriers to payment rail access will soon come down. Other crypto-friendly regimes, such as Hong Kong, have been known to strongly encourage prominent correspondent banks in their region to serve the crypto sector;[4] likewise, insiders anticipate an Executive Order in the first days of the Trump presidency addressing the de-banking experienced by the cryptocurrency industry in recent years.[5] Assuming that this Executive Order, or similar regulatory clarity, soon comes to pass, both banks and cryptocurrency firms should start preparing for the next wave of fiat payment rail enablement and the due diligence best practices that will inevitably emerge.

Considerations for Banks/BaaS Providers Planning to Offer Payment Rails

The provision of fiat payment rails to crypto native firms is essential to driving mainstream crypto adoption. As such, banks and BaaS providers are key to unlocking growth in the crypto industry. As they explore service provision to crypto players, banks and BaaS providers striving to ensure financial integrity while meeting the business needs of this unique sector should take into consideration the elements outlined below.

  • Governance, Management Oversight, and Staffing
    • Ensure that the board, senior management, and staff across the three lines of defense have a robust understanding of cryptocurrency and the unique risks associated with serving the sector prior to changing your business model.
    • Invest in additional specialized training and consider hiring additional staff with specialized skills and experience to address knowledge gaps.
    • Perform a new business review to identify and remediate control gaps prior to supporting a new business model, particularly one that involves provision of fiat rails to cryptocurrency firms and end users.
    • Develop a formal risk appetite statement, including risk appetite thresholds and early warning indicators, to identify and monitor for potential concentration risk, spikes in transaction volumes, and changes to customer risk.
    • Maintain change management/horizon scanning processes and controls, especially given the ever-evolving nature of the crypto regulatory landscape.
  • Internal Controls
    • Perform an AML and sanctions risk assessment that evaluates customer, geographic, product/service, transaction, and delivery channel inherent risks and the effectiveness of the organization’s control environment, in order to assess whether there are risks requiring additional mitigation and enhancements to the control environment.
    • Review and update the organization’s financial crimes compliance (FCC) program to address the unique risks associated with provision of services to the cryptocurrency industry, including making updates to relevant policies, procedures, and controls as needed, across the firm’s transaction monitoring, customer due diligence, and sanctions programs.
      • Consider performing a transaction monitoring coverage assessment to ensure that the organization’s transaction monitoring ruleset is designed appropriately to capture any additional risks associated with serving the cryptocurrency industry.
    • Consider developing bespoke continuous monitoring and information exchange/request for information (RFI) programs with cryptocurrency exchange customers to ensure more effective monitoring and reporting associated with end user activities.
    • Consider implementing specialized commercial solutions such as blockchain analytics to perform additional monitoring of cryptocurrency customer activity, ensuring that personnel using this specialized software have the requisite skills and experience to effectively utilize these tools.
  • Know Your Customer (KYC) Program
    • Review existing customer onboarding, due diligence, and enhanced due diligence processes, and modify as necessary to ensure risk-based KYC controls for cryptocurrency industry customers.
      • To the extent that external forms like the Wolfsberg Correspondent Banking Due Diligence or FCC Questionnaires (Wolfsberg CBDDQ or FCCQ) are leveraged, supplement these questionnaires with crypto-specific due diligence inquiries to check for Travel Rule compliance, use of specialized software such as blockchain analytics, and controls related to higher risk coins such as anonymity-enhancing coins and privacy coins.
    • Consider performing an analysis of cryptocurrency industry participants to ensure appropriate risk-based segmentation of customers (i.e., based on business model, regulatory status, etc.).
      • As part of this exercise, consider the impact of different cryptocurrency industry participants on the organization’s customer risk rating (CRR) methodology and update the CRR methodology as needed.
    • Consider implementing bespoke ongoing monitoring and RFI processes to supplement the customer due diligence program.
  • Business Processes
    • Designate and train specialized account/relationship managers to pre-screen prospective customers and manage crypto industry customer relationships.
      • Consider designing risk-based performance incentives to discourage undue risk-taking.
    • Develop and document the organization’s crypto business strategy, as this will enable the strategy to be communicated both internally to relevant stakeholders and externally to regulatory authorities.
    • Develop specialized account structures for omnibus accounts associated with cryptocurrency customers.
    • Consider the industry’s requirements for 24/7/365 transaction settlement and assess what enhancements may be required to core banking systems and processes to meet these demands.
    • Invest in technology resources and establish application programming interfaces (APIs) to enable seamless integration between your banking services and your customers’ platforms and interfaces.
  • Regulatory Communications
    • Proactively communicate anticipated changes to product and service offerings to regulatory authorities, including outlining any risk and control assessments performed and any new controls being implemented to manage newly identified risks.

Considerations for Crypto Firms Seeking Payment Rails

On the flip side, as crypto natives engage with bank partners in search of fiat payment rails, they ought to prepare for heightened FCC and risk management standards and consider how this might impact their staffing and operations, as outlined below.

  • Documented and Effective FCC Program
    • Maintain a documented FCC risk assessment methodology outlining inputs into the firm’s FCC risk assessment, and perform detailed, data-driven FCC risk assessments on at least an annual basis.
      • Be prepared to share the results of the latest FCC risk assessment with prospective bank partners at onboarding and at least annually going forward as part of the bank’s periodic review process.
    • Maintain a documented FCC policy tailored to the unique products and services of the firm, supported by a program of related policies, procedures, and systems (e.g., blockchain analytics, sanctions screening, identity verification, etc.).
      • Be prepared to share a copy of the FCC policy with prospective bank partners and be prepared to respond to inquiries with respect to the firm’s FCC control framework, including the frequency with which controls are executed.
      • Consider maintaining an updated response to an industry-standard questionnaire, such as the Wolfsberg CBDDQ, that can be shared with prospective bank partners upon request.
    • Conduct an annual independent audit/review of the firm’s FCC program to ensure that the FCC program and key FCC controls are operating effectively.
      • Be prepared to share the results of the independent audit/review with prospective bank partners and be prepared to provide details with respect to the status of any applicable corrective actions.
      • For firms under a public regulatory enforcement action, be prepared to provide details with respect to the status of corrective actions and remediation plans in response to the enforcement action.
    • Maintain a robust process for information sharing with bank partners on mutual customers, both through a formal 314(b) process and through any documented service-level agreement (SLA) processes maintained with the bank partner.
    • For firms that are early-stage start-ups with plans to rely on a BaaS provider prior to acquiring money transmitter licenses, retain qualified outside counsel to provide a legal opinion outlining why the firm operates without money transmitter licenses. Further, early-stage start-ups should maintain documented business plans that clearly articulate the firm’s products/services, core customer segments, geographies, and any imminent plans for geographic expansion.
      • Be prepared to share both the legal opinion and the firm’s business strategy with prospective bank partners and be prepared to engage with representatives of the bank to answer questions with respect to the firm’s business model, regulatory status, products/services, planned use cases, and anticipated payment flows.
  • Staffing and Resourcing
    • Appoint a qualified Bank Secrecy Act (BSA) officer with sufficient authority and oversight of the FCC program and maintain sufficient and qualified resources to keep up with the operational demands of rapid growth in customer and transaction volumes.
    • Maintain sufficient and qualified personnel to respond to bank partner inquiries in a timely manner, including onboarding due diligence questionnaires, periodic reviews, bank partner-mandated SLAs and reporting requirements, and ad hoc inquiries.
      • Consider working with prospective bank partners to document a formal process for periodic reviews and RFIs in order to effectively manage resources and ensure timely responses to bank partner inquiries.
      • For firms with multiple bank partners, consider maintaining an updated repository of responses to frequently requested information/questions in order to streamline the response process.
  • Other Compliance and Risk Controls
    • For firms serving retail customers, maintain an effective process for tracking and resolving customer complaints in a timely manner.
    • Maintain a documented policy covering market abuse and market surveillance, supported by a system of controls to monitor for market abuse and manipulation.
    • Maintain a process for third party-vendor risk management, and in particular, be prepared to speak to processes for managing critical compliance vendor relationships.

As crypto firms continue to mature and strengthen their risk management practices, it is wise to think beyond simply meeting bank partner expectations and begin assessing whether a prospective bank partner is an appropriate fit. Just as the bank is doing due diligence on the crypto firm, the crypto firm ought to be performing due diligence on the bank. Some areas to consider are outlined below.

  • Risk and Compliance Posture
    • Ensure that the prospective bank partner is compliant with relevant regulatory requirements in the jurisdictions in which both the crypto firm and the bank conduct business.
      • Does the bank have any public enforcement actions or is it the subject of recent material negative news?
      • Is the bank in good standing with relevant regulatory authorities?
      • What is the quality of the bank’s risk and compliance leadership, FCC programs, and subject-matter expertise?
      • What is the size of the bank’s risk and compliance departments versus the size of its customer portfolio and transaction activity?
    • Consider the stability of the bank and whether the bank’s customer portfolio is overly concentrated in the crypto sector such that there may be potential for systemic risk.
      • Does the bank appear to have robust risk management controls and knowledgeable risk leadership?
  • Product/Service Fit
    • Assess whether the bank has sufficient expertise and services to support the crypto industry.
      • Does the bank possess the appropriate technical capabilities to support a crypto firm’s operations (e.g., APIs, settlement network)?
      • Does the bank serve similarly sized crypto market participants, and can the bank handle the crypto firm’s anticipated transaction volumes, values, and customer segments?
      • Does the bank have access to the most in-demand fiat currencies for the firm’s operations (e.g., USD, GBP, EUR)? Does the bank have a strong correspondent banking network to support needed cross-border payments to the extent that this is important for the crypto firm’s business model?
      • Can the bank scale with the crypto firm’s product and service ambitions by supporting different payment methods and products (e.g., cards, demand deposit accounts, etc.)?

How K2 Integrity Can Help

Given the many considerations and potential program updates necessary for both banks and crypto firms to unlock crypto-fiat rails, here are some ways that K2 Integrity can help TradFi, Fintech, and crypto native firms:

Bank Partners/BaaS Providers Crypto Firms
  • Bespoke training on crypto FCC risk for your board, senior leadership, and across all three lines of defense
  • FCC risk and controls gap assessments and new product risk assessments
  • KYC program uplift (e.g., EDD and specialized due diligence tailored to crypto customers and risks)
  • Governance support (e.g., change management/horizon scanning for new regulations, committees, target operating models for new crypto functions)
  • Coverage assessments, rule tuning, and transaction monitoring model validations
  • Managed services for KYC remediation of crypto customer files, transaction monitoring reviews (e.g., lookbacks, alert/case backlogs)
  • FCC risk and gap assessments
  • AML and sanctions program design and implementation support (e.g., policies, procedures, controls)
  • AML/Sanctions strategic advisory
  • Licensing/Registration support
  • Regulatory affairs support
  • Managed services including transaction monitoring alert and case backlogs, KYC reviews and remediations, as well as due diligence questionnaire (DDQ) support
  • Coverage assessments, rule tuning, and transaction monitoring model validations
  • Asset listing and blockchain due diligence/process governance support
  • Vendor selection advisory (e.g., blockchain analytics, screening)

 

 

Speak to K2 Integrity representatives from the Crypto and Digital Asset Solutions practice to learn more about how K2 Integrity can support you in tailoring your FCC program and controls to manage the unique risks posed by digital assets and to navigate financial partnerships.

 

 

[1] Celarier, M. (24 January 2023), “The Crypto Industry’s Favorite Bank Is in Deep Trouble,” New York Magazine, https://nymag.com/intelligencer/2023/01/silvergate-crypto-industrys-favorite-bank-in-deep-trouble.html.

[2] U.S. Treasury (3 January 2023), “Joint Statement on Crypto-Asset Risks to Banking Organizations,” Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency, https://www.occ.treas.gov/news-issuances/news-releases/2023/nr-ia-2023-1a.pdf.

[3] Ibid.

[4] Fintech News Hong Kong (3 July 2023), “HKMA Steps Up Pressure for Banks to Accept Crypto Companies as Clients,” https://fintechnews.hk/22662/hong-kong/hkma-steps-up-pressure-for-banks-to-accept-crypto-companies-as-clients/.

[5] Zakrzewski, C., and Alemany, J. (13 January 2025), “Elon Musk Isn’t the Only Tech Leader Helping Shape the Trump Administration,” Washington Post, https://www.washingtonpost.com/politics/2025/01/13/andreessen-tech-industry-trump-administration-doge.

Webcasts

Webinar │ Navigating the New Investment Adviser AML Mandate: What Steps Should Investment Advisers Be Taking Now?

16 January 2025
Expert Insights

The Journal of Art Crime: Tommaso Di Ruzza Authors Article on the Connections between Art, Antiquities, and Financial Crimes

9 January 2025
2024

Don’t Let Cyber Scams Ruin the Holidays: Keep the Holiday Season Festive for Your Organization

19 December 2024
2024

Strengthening Security Protocols Amid Heightened Risk

12 December 2024
k2 footerlogo

Looking for a financial crimes, risk, or regulatory advisory firm?
Contact us today to find out how we can help you manage risk.

Talk to Us
Shares

Share

To receive a copy of the article, please complete the required fields and click “Submit.”