The Federal Deposit Insurance Corporation (FDIC) is underprepared to guide member banks regarding cryptocurrency-related activities and the risks they entail, according to the Agency’s Office of Inspector General (OIG).
To gain insights into the crypto activities of financial institutions, the FDIC sent out inquiries to banking firms under its jurisdictions. By January 2023, 96 institutions had indicated their interest in or disclosed their ongoing involvement with crypto assets.
“However, the Agency has not assessed the significance and potential impact of the risks. Specifically, the FDIC has not yet completed a risk assessment to determine whether the Agency can sufficiently address crypto-asset related risks through actions such as issuing guidance to supervised institutions,” the OIG said in a statement.
The exact number of institutions that received feedback from the FDIC was undisclosed. Some received recommendations to temporarily halt their crypto-related activities until the FDIC completed its assessment, but the Agency concealed this specific count.
The FDIC implemented a “bottom-up” strategy to address crypto-related risks, as outlined by the OIG. This strategy involves comprehending the crypto activities of supervised institutions, offering specific supervisory input on a case-by-case basis, and delivering comprehensive industry guidance in collaboration with other agencies.
The extreme volatility in the crypto-asset sector since 2020 prompted the reevaluation of risk assessment strategies. This sector had reached a market capitalization of $3 trillion by November 2021, only to drop to $1.2 trillion by April 2023. These fluctuations underscore various potential liquidity, market pricing, and consumer protection risks that the FDIC should consider.
The OIG recommended that the FDIC develop a plan with defined timelines for evaluating the risks linked to crypto-related activities. It also urged the FDIC to update the supervisory feedback process.
The OIG categorized its recommendations as non-substantial, noting that the FDIC had already agreed with the suggestions and intended to implement corrective measures by the conclusion of January 2024.
The revelations from the Inspector General’s Office highlighted the urgent requirement for legislative measures to regulate crypto assets. They also prompted inquiries about the potential consequences for the crypto and financial industries if these risks remain unattended.
Audit flags FDIC’s cloud risks
In an audit report published on July 25, FDIC’s OIG identified several deficiencies in the Agency’s governance and strategic controls during its transition to cloud computing. According to the OIG, it presents cybersecurity risks.
The report highlighted that the FDIC failed to follow several recommended cloud-related practices issued by the Office of Management and Budget (OMB), National Institute of Standards and Technology (NIST), and FDIC guidelines.
Furthermore, the audit revealed that the FDIC lacked a comprehensive inventory of all data assets within its cloud environments. It also did not have a fully developed data catalog, indicating a lack of organization in managing its cloud assets.
Additionally, there was no exit strategy in place as part of the cloud strategy. It could create issues if the FDIC needed to end a contract with a cloud service provider. The audit also noted the absence of disposal strategies and decommissioning plans for legacy systems.
Furthermore, the audit pointed out that the FDIC had yet to develop Contract Management Plans (CMP) for all 17 contract actions related to cloud services. These contracts had a total value of over $546 million.
Nevertheless, the report acknowledged that the FDIC generally had effective strategies and governance processes for overseeing its cloud computing services.