The SEC’s Accounting Bulletin 121: Why Prudentially Regulated Banking Organizations Ought to be Exempted

  • The technological, legal and regulatory risks identified in the Securities and Exchange Commission (SEC) Staff Accounting Bulletin (SAB 121) are largely addressed or mitigated by existing prudential regulation and supervisory oversight.
  • Therefore, prudentially regulated banking organizations (banking organizations) should be exempted from SAB 121.
  • More generally, the prudential agencies and the SEC should collaborate on the regulation of crypto-assets and, where appropriate, jointly provide guidance on the various issues raised by banking organizations engaging in crypto-asset activities.

Background on SAB 121

On March 31, 2022, the SEC’s Office of the Chief Accountant and Division of Corporation Finance (collectively, the “SEC staff”) published Staff Accounting Bulletin 121 (SAB 121), which sets out the SEC staff’s views on the accounting treatment for obligations to safeguard crypto-assets by public companies, including banking organizations.  The SEC staff believes these safeguarding arrangements give rise to unique technological, legal and regulatory risks, and, as a result, may increase the risk of financial loss.  SAB 121, therefore, requires public companies to make certain disclosures and record on their balance sheets a liability and a corresponding asset at the fair value of the crypto-assets that they are safeguarding for their “platform users”.[1]

While we understand the broader public policy objectives that the SEC staff were trying to accomplish in issuing SAB 121, banking organizations should be exempted from its provisions because the risks it identifies are either not present or are otherwise significantly mitigated by prudential regulation and supervision, established commercial law applicable to banking organizations, and relevant case law.

SAB 121 Creates an Overly Broad Definition of Covered Assets/Arrangements

SAB 121 applies to the safeguarding of “crypto-assets”.  SAB 121 defines a crypto-asset as “a digital asset that is issued and/or transferred using distributed ledger or blockchain technology using cryptographic techniques”.[2]  We believe that the scope of assets and arrangements that could fall within this definition is too broad and likely captures assets and arrangements that do not trigger the risks identified in SAB 121.

Certain arrangements, such as where blockchain is used for record-keeping purposes in a permissioned format, should be excluded from the definition of crypto-assets and, therefore, excluded from SAB 121’s requirements regardless of the status of the person involved in the arrangement because the asset or arrangement itself does not trigger the risks noted in SAB 121.  Other arrangements or assets that potentially might raise the risks identified in SAB 121 should be excluded from the SAB’s requirements when offered by a banking organization because such organizations are subject to established regulatory, operational, and legal standards that eliminate or largely mitigate the risks identified in SAB 121.[3]

Prudential Regulation and Supervision

In SAB 121, the SEC staff identify various unique technological, legal and regulatory risks, and heightened risk of financial loss, that could arise from crypto-asset safeguarding arrangements.  Diagram 1 below maps these risks to the relevant risk-based capital and liquidity requirements, and ongoing supervisory requirements that exist under the prudential regulatory framework.  The diagram also lists several other relevant components (i.e., stress capital requirements, leverage capital requirements and Global Systemically Important Bank or G-SIB surcharge) of the prudential regulatory framework that ensure capital adequacy and thereby mitigate bankruptcy risks of banking organizations.  As explained in more detail in the following sections, we believe the risks identified in SAB 121 are largely addressed or mitigated by this regulatory and supervisory regime.

In light of the exponential growth in crypto-asset markets, The Federal Reserve Board (FRB), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) (collectively, “prudential agencies”) started a crypto-asset policy sprint late last year.  The prudential agencies staff reviewed several crypto-asset services, including safeguarding of crypto-assets and customer demand facilitation, that banking organizations might offer.  In a joint statement released on November 23, 2021, the prudential agencies stated that “[t]hroughout 2022, the [prudential] agencies [plan to] provide greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible, and expectations for safety and soundness, consumer protection, and compliance with existing laws and regulations related to crypto-asset safekeeping and traditional custody services” and other crypto-asset activities.[4]  In the same statement, the prudential agencies also stated that “the [prudential] agencies will continue to engage and collaborate with other relevant authorities, as appropriate, on issues arising from activities involving crypto-assets.”[5]  We believe it is prudent and in-line with the November 2021 joint statement for the prudential agencies and SEC to collaborate on issues arising from banking organizations engaging in crypto-asset activities, including issues raised in SAB 121.

How Are Technological Risks Mitigated?

SAB 121 refers to technological risks as “risks with respect to both safeguarding of assets and rapidly-changing crypto-assets in the market that are not present with other arrangements to safeguard assets for third parties”.[6]  Banking organizations are actively engaged in many areas of financial innovation involving distributed ledger technology, including the development of safeguarding solutions for crypto-assets.  These solutions include robust procedures, processes and controls that protect against theft, loss and unauthorized or accidental transactions.

Further, banking organizations are required to follow due diligence, risk review and risk management processes when safeguarding all financial assets (including crypto-assets) and are subject to ongoing supervision through the supervisory examination process.  Banking organizations also are subject to extensive technology-related oversight.  In particular, the FRB considers the risks associated with information technology in its evaluation of a banking holding company’s (BHC) significant business activities and assesses the effectiveness of the risk-management process of the BHC.[7]  The OCC and the FDIC both have issued guidance to ensure supervised institutions and their third party service providers and software vendors maintain safe and sound banking practices.[8]

As with any traditional asset, financial losses (and thus heightened bankruptcy risks) associated with technological risks arising from a crypto-asset eventually crystallizes through one of three channels:

  • Price changes (i.e., market risk);
  • Obligor defaults (i.e., credit risk); and
  • Loss resulting from inadequate or failed internal processes, people, and systems or from external events including legal risk (i.e., operational risk).

Prudential regulation requires banking organizations to hold adequate capital against each of these risks to absorb potential losses due to market risk, credit risk and operational risk respectively, including losses resulting from these risks under various scenarios under the forward-looking stress testing framework.  In addition, banking organizations are required to maintain enough high-quality liquid assets to meet near-term cash outflows and stable funding to support their assets and obligations over the medium-term.

How Are Legal Risks Mitigated?

SAB 121 states that legal risks arise “due to the unique characteristics of [crypto-assets] and the lack of legal precedent, there are legal questions surrounding how such arrangements would be treated in a court proceeding arising from an adverse event (e.g., fraud, loss, theft, or bankruptcy)”.[9]

With respect to legal risks in insolvency, there are multiple legal bases to conclude that safeguarded assets are not the property of a custodian bank upon such events, specifically: (1) treatment under the Uniform Commercial Code (UCC) Article 8; (2) case law regarding the insolvency of banking organizations that hold assets under custody; and (3) regulatory and supervisory guidance applicable to banking organizations that safeguard customer assets.  These legal bases work together with contractual provisions to help ensure that custodial assets will not be treated as assets of the custodian.

Additionally, banking organizations must adhere to well established regulations and standards, and benefit from established legal precedents, including for safeguarding assets, such that the assets are not subject to claims from unsecured creditors should the banking organization become insolvent.  Further, bank custody arrangements clearly document and disclose to customers their rights and responsibilities, including allocation of the risks of fraud, loss and theft.  Further, financial loss resulting from legal risk is subject to the operational risk capital requirement under the risk-based capital requirements of prudential regulation.

How Are Regulatory Risks Mitigated?

SAB 121 defines regulatory risks “as compared to many common arrangements to safeguard assets for third parties, there are fewer regulatory requirements for holding crypto-assets for platform users or entities may not be complying with regulatory requirements that do apply, which results in increased risks to investors in these entities”.[10]

Banking organizations must obtain supervisory approval (or at least non-objection) prior to engaging in any new type of business activity, including crypto-asset activities.  The life-cycle of a banking organizations various lines of business is subject extensive regulation. For example:

  • Before entering a new line of business, a banking organization must either receive approval or non-objection from its primary prudential regulator. This process entails a rigorous pre-approval planning phase for the banking organization and an extensive and probing analysis of the new business by the prudential regulator.
  • While engaged in a line of business, a banking organization must have robust policies and procedures and a mature compliance system to oversee the activities.
  • Prudential regulators will examine and supervise the banking organization’s line of business and subject the banking organization to possible examine deficiencies and enforcement actions.
  • The banking organization’s line of business will be subject to extensive, regular regulatory reporting obligations.
  • Many banking organizations have on-site prudential agency staff.

On an ongoing basis, banking organizations must ensure compliance with prudential regulation (e.g., capital and liquidity requirements), which address the risks identified in SAB 121.  In addition, they are subject to continuous supervision, in many cases including on-site prudential agency supervisory personnel, which examines for compliance with prudential regulatory requirements.

Additionally, the FRB expects BHCs to establish and maintain an effective system of controls that promotes effective operations and reliable financial and regulatory reporting, safeguards assets, and promotes compliance with relevant laws and regulations.[11]  Similarly, the OCC sets out its risk-based bank supervision processes and expectations for banks.[12]  On custody activities, the OCC’s guidance regarding custody services requires banking organizations to separate and safeguard custodial assets; establish effective policies, procedures, and internal controls; and disclose in custodial contracts and agreements the custodian’s duties and responsibilities.[13]  The OCC expects banking organizations to have adequate controls in place prior to engaging in crypto-assets activities and be reviewed as part of ongoing supervision process.[14]  In addition, custody assets are generally protected and transferred to a receiver under longstanding FDIC rules governing bank insolvency and resolution practices.


SAB 121 identifies technological, legal and regulatory risks, including heightened risks of financial loss, as unique risks that arise from crypto-asset safeguarding arrangements.  We believe these risks are largely addressed or mitigated for banking organizations by prudential regulation and on-going supervision and stress testing.

Additionally, we believe that applying SAB 121 to banking organizations will give rise to a wide range of negative knock-on effects that ultimately will harm customers and the broader economy.  For example, applying SAB 121 to banking organizations likely will cause significant capital, liquidity, and other costs under the existing prudential regulatory framework.  These costs will make it economically impractical for banking organizations to provide crypto-asset safeguarding activities to customers.

By effectively precluding banking organizations from serving clients seeking crypto-asset safeguarding services, SAB 121 would force customers to seek custody services from unregulated entities with negative impacts on customers, financial markets, and the broader economy. In this way, SAB 121:

  • Runs counter to the touchstone regulatory goals of safety and soundness followed by the prudential regulators;
  • Is at odds with the SEC’s mission of protect customers, maintaining fair, orderly, and efficient markets, and facilitating capital formation; and
  • Is incongruous with SEC Chair Gensler’s stated goal of bringing regulatory order and customer protection to the crypto-asset market.[15]

For all these reasons, we believe banking organizations should, therefore, be exempt from SAB 121. Moreover, per the joint crypto-asset policy sprint statement,[16] the prudential agencies should work expeditiously to complete their crypto-asset sprint and collaborate with the SEC to provide clarity on enhanced customer protection in crypto-asset markets.

Dr. Guowei Zhang is Managing Director and Head of Capital Policy SIFMA, Mr. Kevin Zambrowicz is Managing Director and Associate General Counsel SIFMA, and Mr. Carter McDowell is Managing Director and Associate General Counsel SIFMA

[1] “Platform users” is a term that SEC staff use throughout SAB 121.  See generally

[2] SAB 121 n3, available at

[3] AICPA Accounting for and auditing of digital assets (June 30, 2022) (stating “[s]ome “crypto-assets” can have differences that may warrant further analysis to determine if they are in scope of SAB No. 121. For example, “crypto-assets” on a public permissionless blockchain likely present many of the risks outlined in SAB No. 121. However, “crypto-assets” on a private permissioned blockchain may not contain those same risks and may be out of the scope of SAB No. 121 if, for example, the ability to amend, correct, or cancel transactions exists.”), available at

[4] FRB, OCC and FDIC, Joint Statement on Crypto-Asset Sprint Initiative and Next Steps, available at

[5] Id.

[6] SAB 121, available at


[8] and

[9] Id..

[10] Id.





[15] See, e.g., Prepared remarks of Chair Gary Gensler on crypto markets, available at

[16] FRB, OCC and FDIC, Joint Statement on Crypto-Asset Sprint Initiative and Next Steps, available at