Introduction
FIL-16-2022 is most useful now as a guide to the kinds of crypto risks the FDIC watched closely, not as current binding procedure. The April 7, 2022 letter required FDIC-supervised banks to notify the agency before engaging in crypto-related activities, and the later March 2025 rescission removed that notice gate without eliminating the need for careful supervision, disclosures, and risk controls.
For a bank revisiting digital-asset work, the practical lesson is not that crypto is fully approved or fully blocked. The bank still has to define the exact activity, identify who controls customer relationships and funds, and show how safety-and-soundness, consumer-protection, and operational risk are managed under the current supervisory framework. That is why this page keeps the focus on governance and supervisory expectations rather than pretending the rescinded letter created a new crypto rule.
The original notice regime still matters because it shows which risks drew the agency’s attention: consumer confusion, liquidity and market volatility, operational resilience, legal uncertainty, and broader financial-stability concerns. Those themes remain relevant whenever a bank touches crypto-assets, custody, stablecoin infrastructure, settlement, or customer-facing insurance claims.
What FIL-16-2022 Required
The core requirement was straightforward: before engaging in a crypto-related activity, or if already engaged in one, an FDIC-supervised institution should promptly notify the appropriate FDIC regional director. The initial notice had to describe the activity in detail and provide the bank’s proposed timeline. After receiving the notice, the FDIC could ask for additional information and would review the proposal through a safety-and-soundness, consumer-protection, and financial-stability lens.
That matters because the letter created a supervisory gate, even though it was framed as a notification requirement rather than a formal application process. A bank could not responsibly treat the notice as a short email saying it was exploring digital assets. Management needed to be prepared to explain the product structure, legal authority, customer base, third-party dependencies, control framework, accounting treatment, liquidity implications, and compliance program. Institutions that approached the process casually risked turning a strategic initiative into a prolonged supervisory problem.
It is also important to describe the letter accurately in hindsight. FIL-16-2022 did not itself resolve whether a specific crypto activity was permissible. It required notice so the FDIC could assess the specific activity and provide supervisory feedback. That is why the practical takeaway is governance, not headline-level optimism or hostility.
Why the FDIC Was Concerned
The 2022 letter identified several overlapping risk categories. First, the FDIC was concerned about safety and soundness. Crypto-related activity could expose a bank to novel credit, market, liquidity, operational, and counterparty risks. The agency noted uncertainty around valuation, accounting, and the ability to measure asset quality and exposures. Those concerns were especially acute where the activity depended on rapidly changing market infrastructure or on counterparties outside the traditional insured-bank model.
Second, the FDIC raised consumer-protection concerns. One of the clearest examples involved customer confusion about what is and is not insured by the FDIC. A bank might offer or facilitate crypto-related services while customers incorrectly assume the underlying crypto asset has the same protections as a deposit account. That kind of confusion can create reputational and legal risk quickly, particularly when marketing language, website placement, or partner communications blur the line between insured deposits and non-deposit products.
Third, the FDIC emphasized potential financial-stability and systemic concerns. The agency warned that disruptions in certain crypto markets or structures could trigger destabilizing runs, fire-sale behavior, or other contagion effects. A bank did not need to be a large direct crypto trader to feel those pressures; the risk could arise through funding dependencies, reserve structures, settlement arrangements, or interconnected vendors. The letter therefore pushed banks to think beyond product design and into scenario planning.
Which Activities Needed a Serious Risk Review
Thin articles often speak about “crypto” as if it were a single product line. In reality, the risk profile can vary dramatically depending on what the bank is doing. Acting as a custodian for crypto-assets, providing banking services to crypto firms, maintaining stablecoin-related reserves, enabling customer purchases or sales, facilitating settlement, or participating in tokenized-asset infrastructure each raises different questions. The same is true for partnerships where the bank’s name, systems, or deposit products are being used in connection with a digital-asset offering managed by a nonbank.
Under FIL-16-2022, management should have assumed that activities touching customer funds, bank balance-sheet exposure, custody arrangements, token redemption mechanics, or public marketing claims would invite close supervisory attention. Even where the bank believed the activity was legally permissible, the real question was whether it could explain the control environment in a way that matched the novelty and speed of the risk.
That means the useful analysis is not “is crypto allowed?” The better question is: what exactly is the bank doing, where does the risk sit, who controls the customer relationship, what representations are being made, and how would the institution unwind the activity if market stress, legal change, or partner failure made continuation unsafe?
What a Credible Notice Package Needed to Show
A serious FIL-16-2022 submission needed more than a business case. It needed to show that the bank had identified the activity precisely and understood its legal and operational boundaries. That typically meant describing the product, the customer base, the role of any affiliates or fintech partners, the technology stack, how funds or assets moved, and what contractual rights the bank actually had if something went wrong.
The notice should also have addressed governance. Which committee approved the activity? What board reporting would exist? How would compliance, BSA/AML, information security, audit, finance, and operations monitor the program? If the bank was relying heavily on a third party, how would vendor management and contingency planning work in practice? Those questions often separate a real banking proposal from a slide deck dressed up as innovation strategy.
Another core point is documentation around customer disclosures and deposit-insurance messaging. If a bank’s product design, partner website, or onboarding materials could cause a customer to believe a crypto asset was FDIC-insured, management needed to fix that before launch. The FDIC’s later 2022 advisory on deposit-insurance representations reinforced that this was not a theoretical issue.
Common Failure Points for Banks Exploring Crypto Activity
One recurring problem is assuming the hardest issue is technology when the harder issue is governance. A bank may have a capable vendor and a technically sound integration, but still be unable to explain legal authority, customer disclosures, liquidity stress, or the treatment of complaints and disputes. Another problem is underestimating concentration risk. Even if the bank is not holding large amounts of crypto-assets directly, a narrow customer base or heavy dependence on one sector of the digital-asset market can create sharp deposit, reputational, or operational swings.
Institutions also get into trouble when they do not map how ordinary bank controls apply to a non-ordinary product. BSA/AML monitoring, sanctions screening, suspicious-activity escalation, complaint handling, vendor oversight, and information-security expectations do not disappear because the activity is new. If anything, the novelty of the activity means those controls need more specificity, not less.
A third failure point is treating supervisory dialogue as a one-time hurdle. FIL-16-2022 was a front-end notice requirement, but the practical challenge was ongoing. If the bank changed its structure, expanded customer segments, adjusted marketing, or relied on a new partner, the risk profile could shift materially. Management needed a process for re-evaluating the activity, not just launching it.
How the 2025 Rescission Changes the Analysis
In March 2025, the FDIC rescinded FIL-16-2022 and stated that FDIC-supervised institutions may engage in permissible crypto-related activities without obtaining prior FDIC approval, so long as they manage the associated risks appropriately. That policy change matters, but it should not be misread as a signal that the underlying risks disappeared. The agency’s later guidance still expects safe-and-sound operation, compliance with applicable law, and thoughtful engagement with supervisory teams where appropriate.
For that reason, FIL-16-2022 still has value as a risk map. It shows which areas the FDIC regarded as especially sensitive: consumer confusion, liquidity and market volatility, operational resilience, legal uncertainty, and the potential for broader destabilizing effects. Even though the process changed, those themes remain relevant for institutions designing or revisiting digital-asset products.
A practical advisory page should therefore do two things at once. It should explain that the old prior-notice regime has been rescinded, and it should preserve the more durable lesson that crypto-related activities must still be scoped, governed, and documented like high-risk banking activities rather than treated as ordinary marketing expansions.
Board, Legal, and Compliance Questions to Ask Now
If a bank is reviewing an existing digital-asset relationship, a paused project, or a previously submitted notice, leadership should ask several grounded questions. What exactly is the bank doing today, and what customer or market assumptions was the original proposal built on? Has the institution documented the legal basis for the activity and the limits of what is represented to customers? Are third-party arrangements still accurate, and does the bank have realistic exit rights if the vendor or partner fails?
The bank should also test its disclosures. Where could a customer misunderstand the difference between a deposit account and a crypto-related product? What marketing or service scripts would create insurance confusion? Are complaint, fraud, sanctions, and suspicious-activity processes designed for the actual transaction patterns the activity creates? If management cannot answer those questions clearly, the problem is not just historical noncompliance. The problem is that the institution may still lack the operational discipline the FDIC wanted to see in the first place.
For lawyers and compliance officers, the safest framing is conservative. A bank should not launch, expand, or revive a crypto-related activity on the assumption that regulatory tone alone has solved the hard issues. Product structure, disclosures, vendor dependence, and risk appetite still drive the real analysis.
Frequently Asked Questions
Did FIL-16-2022 approve banks to offer crypto products?
No. It required FDIC-supervised institutions to notify the FDIC before engaging in crypto-related activities so the agency could review the proposal and provide supervisory feedback.
Is FIL-16-2022 still in effect?
No. The FDIC rescinded it in March 2025, but the letter still matters historically because it explains the risk categories and supervisory concerns that shaped many banks’ digital-asset planning.
What was one of the FDIC’s clearest consumer concerns?
Confusion about deposit insurance. Customers may misunderstand whether a crypto-related product offered by, through, or alongside a bank has the same protections as an insured deposit account.
What should a bank review before revisiting a crypto project?
Product structure, legal authority, vendor dependence, customer disclosures, liquidity and operational risk, BSA/AML controls, and realistic exit planning should all be reviewed before moving forward.
Share your details and we’ll follow up shortly.
Related Legal Resources
- FDIC Rescinds Failed Bank Acquisition Policy | FDIC Guidance
- FDIC Memo: Regulatory Capital Rule: Category I and II Banking Organizations, Banking Organizations with Significant Trading Activity, and Optional Adoption for Other Banking Organizations
- FDIC Final Rulemaking on Signs, Ads, and Insured Status Guidance
- FDIC FAQs on Capital Treatment of Tokenized Securities
- FDIC Extends Comment Period for Proposed Rule on Payment Stablecoins
