Federal Reserve and FDIC Withdraw Crypto-Asset Guidance for Banks; OCC Issues Clarification for Banks
Go-To Guide:
The Board of Governors of the Federal Reserve System (Board) has withdrawn supervisory guidance for Board-supervised banks concerning crypto-asset and dollar token activities and Board expectations for these activities.
The Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) also withdrew joint supervisory statements on crypto-asset activities and exposures.
The OCC issued Interpretive Letter #1184 (IL 1184) reaffirming that OCC-supervised banks can provide and outsource crypto-asset custody services.
It is unclear whether the Board and the FDIC will issue additional guidance for integrating cryptocurrency in the U.S. banking system.
Until regulators issue specific and comprehensive crypto-asset guidance, banks should proceed with caution and adhere to existing safety and soundness expectations.
On April 24, 2025, the Board withdrew its supervisory guidance for Board-supervised banks relating to crypto-asset and dollar token activities.1The Board rescinded (1) its Aug. 16, 2022, supervisory letter that required state member banks engaging, or seeking to engage in, crypto-asset activities to provide the Board with advance notification; and (2) its Aug. 8, 2023, supervisory letter that imposed a non-objection process on state member banks issuing, holding, or transacting in dollar tokens2 to facilitate payments.
Furthermore, the Board and the FDIC joined the OCC in withdrawing from their joint statements regarding crypto-asset activities and exposures. The Board and the FDIC withdrew (1) their Jan. 3, 2023, joint statement that identified risks associated with the crypto-asset sector and expressed safety and soundness concerns with crypto-asset activities, and (2) their Feb. 23, 2023, joint statement on liquidity risks related to certain sources of funding from crypto-asset entities, which emphasized the importance of effective risk management practices.3
On May 7, 2025, the OCC issued IL 1184 clarifying that “banks may buy and sell assets held in custody at the custody customer’s direction and are permitted to outsource bank-permissible crypto-asset activities, including custody and execution services to third parties, subject to appropriate third-party risk management practices.” Related services include facilitating the customer’s cryptocurrency and fiat currency exchange transactions, transaction settlement, trade execution, recordkeeping, valuation, tax services, and reporting. The OCC noted that banks may provide crypto-asset custody services in a non-fiduciary or fiduciary capacity subject to 12 C.F.R. part 9 or 150, as applicable. While prior regulatory approval is not required, the OCC expects banks to conduct such activities “in a safe and sound manner and in compliance with applicable law.”
These developments are aligned with the broader objective of the Trump administration to position the United States as a leader in the cryptocurrency and financial technology space, as it noted during its first months after taking office.4
Potential Implications
These actions remove procedural regulatory hurdles for banks engaging in crypto-asset activities. Banks now have greater autonomy to explore permissible crypto-related activities without undergoing a prior supervisory review process. However, without explicit pre-approval, banks bear more responsibility for ensuring permissible crypto-asset activities are “consistent with safety and soundness and applicable laws and regulations.”5
The OCC’s issuance of IL 1184 reaffirms and expands upon previous guidance regarding national banks’ authority to engage in crypto-asset activities in that “[p]roviding crypto-asset custody services is a modern form of traditional bank custody activities.”6
The Board expressed that it “will instead monitor banks’ crypto-asset activities through the normal supervisory process.”7 It is unclear whether the withdrawal of guidance will ease legacy regulatory barriers for banks seeking to engage in crypto-related activities. The Board noted that it will work with the FDIC and the OCC to determine whether additional guidance is appropriate.8 The FDIC stated that it is working with the agencies to explore “issuing additional clarity with respect to banking organizations’ crypto-asset and related activities in the coming weeks and months.”9
Takeaways
While crypto is a newer asset class, federal regulators have made it clear that existing risk management expectations apply, regardless of the type of asset or technology involved. Regulators expect banks to treat crypto activities with the same level of rigor as any other line of business – if not more so, due to their volatility, legal ambiguity, and operational complexities.10 While the federal banking agencies indicated they are considering whether to issue additional guidance, banks are now operating with minimal guidance for crypto-asset specific activities. For now, banks should be prepared to learn of crypto-specific regulatory expectations during the examination process. The agencies’ statements regarding potential new guidance or clarity may serve as an opportunity to provide more tailored guidance in this space.
In the interim, banks currently engaged or considering engaging in digital-asset activity should continue to consider the prior guidance in maintaining or establishing controls for digital-asset activity, and at the same time, remain vigilant of any further guidance the regulatory agencies may provide. Key principles and practices from traditional bank risk guidance should be applied to crypto activities, including, but not limited to: KYC and CDD;11 AML and CFT;12Third-Party Risk Management;13 Operational Risk Management;14 and Governance and Risk Appetite Frameworks.15 While banks should consider engaging federal regulators proactively to seek informal feedback even though formal pre-approval is no longer required, state-chartered banks should also consider whether to engage their state regulators, as there may be divergent comfort levels between federal and state regulators regarding permissible crypto-asset activities.
1Federal Reserve Board, Federal Reserve Board announces the withdrawal of guidance for banks related to their crypto-asset and dollar token activities and related changes to its expectations for these activities, April 24, 2025 [hereinafter Federal Reserve Board announces the withdrawal of guidance for banks].
2 “Dollar tokens” are tokens denominated in national currencies and issued using distributed ledger technology or similar technologies to facilitate payments. Id.
3 Board, Federal Reserve Board announces the withdrawal of guidance for banks, supra note 1; see also FDIC, Agencies Withdraw Joint Statements on Crypto-Assets, April 24, 2025.
4 White House, Fact Sheet: Executive Order to Establish United States Leadership in Digital Financial Technology, Jan. 23, 2025. White House, Fact Sheet: President Donald J. Trump Establishes the Strategic Bitcoin Reserve and U.S. Digital Asset Stockpile, March 6, 2025.
5 FDIC, Agencies Withdraw Joint Statements on Crypto-Assets, supra note 7.
6 OCC, Interpretive Letter 1184.
7 Board, Federal Reserve Board announces the withdrawal of guidance for banks, supra note 1.
8 Id.
9 FDIC, Agencies Withdraw Joint Statements on Crypto-Assets, supra note 7.
10 See, e.g., Fed. Deposit Ins. Corp., Risk Review § 7, May 24, 2024, at 3 (discussing novel and emerging risks associated with crypto-asset activities).
11FIN-2018-G001, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, April 3, 2018.
12 FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism National Priorities, June 30, 2021.
13 Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37920, June 9, 2023.
14 Board, FDIC and OCC, Sound Practices to Strengthen Operational Resilience, Oct. 30, 2020.
15 SR letter 21-3/CA letter 21-1, Supervisory Guidance for Boards of Directors of Domestic Bank and Savings and Loan Holding Companies with Total Consolidated Assets of $100 Billion or More (Excluding Intermediate Holding Companies of Foreign Banking Organizations Established Pursuant to the Federal Reserve’s Regulation YY) and Systemically Important Nonbank Financial Companies Designated by the Financial Stability Oversight Council for Supervision by the Federal Reserve.
SEC’s Division of Trading and Markets Issues New FAQ Guidance on Broker-Dealer Custody and Net Capital Treatment of Cryptoassets
The Securities and Exchange Commission (SEC) has taken a significant step toward permitting broker-dealers to custody digital assets and toward accounting for such proprietary digital assets in a broker-dealer’s net capital computation. On May 15, 2025, the SEC’s Division of Trading and Markets released a new FAQ titled “Frequently Asked Questions Relating to Crypto Asset Activities and Distributed Ledger Technology,” while simultaneously withdrawing its 2019 Joint Statement with the Financial Industry Regulatory Authority (FINRA) on the broker-dealer custody of digital asset securities. The new FAQ marks a notable shift from Division staff’s cautious approach in the 2019 Joint Statement, offering more practical pathways for broker-dealers to establish possession and control over “crypto assets that are securities”, in compliance with Rule 15c3-3 under the Securities Exchange Act of 1934, as amended (Customer Protection Rule). The update follows the SEC’s April roundtable on crypto custody challenges.
Previous SEC and FINRA Guidance on Custody of Cryptoasset Securities
The SEC’s 2019 Joint Statement with FINRA took a notably cautious stance on broker-dealer custody of “digital asset securities.” That statement expressed significant concerns about whether broker-dealers could comply with the Customer Protection Rule when custodying digital asset securities, emphasizing that digital assets create risks of fraud, theft and irreversible transfers.
This earlier guidance effectively steered broker-dealers away from direct custody by suggesting that “noncustodial activities involving digital asset securities do not raise the same level of concern.” The statement provided examples of permissible non-custodial models while explicitly stating that broker-dealers “may find it challenging to comply” with the Customer Protection Rule’s possession or control requirements when custodying digital asset securities directly. As indicated above, the SEC and FINRA withdrew this Joint Statement concurrently with the SEC’s issuance of the FAQ guidance.
The SEC followed the 2019 Joint Statement with the 2020 “Special Purpose Broker-Dealer” statement (SPBD Statement). This five-year position (set to expire in April 2026) outlined nine specific circumstances under which a broker-dealer would not face SEC enforcement action for deeming itself to have possession or control of customer digital asset securities. These conditions included requiring the broker-dealer to limit its business exclusively to digital asset securities, implement policies to assess distributed ledger technology, demonstrate exclusive control over private keys, establish procedures for responding to blockchain disruptions, and provide specific disclosures to customers about the risks of digital asset securities. The SPBD Statement remains in effect, but Commissioner Hester Peirce solicited comments during the Crypto Custody Roundtable on whether it should be withdrawn and, as discussed below, the new FAQ guidance ameliorates some of the impact of the rigid SPDB Statement.
New Pathway for Broker-Dealer Custody of Cryptoassets
The new FAQ represents a clear shift in approach. Most significantly, the Division clarified in Question 3 of the FAQ that the SEC’s 2020 SPBD Statement’s framework is not mandatory for broker-dealers seeking to custody customer cryptoassets that are securities. Instead, the FAQ states plainly that “a broker-dealer carrying crypto asset securities for a customer or PAB account may establish control under paragraph (c) of Rule 15c3-3.”
This guidance effectively opens standard “good control location” provisions to cryptoasset securities, even acknowledging in Question 2 that “the Staff will not object if such crypto asset securities are not in certificate form when held at an otherwise qualifying control location under paragraph (c) of Rule 15c3-3.” These clarifications remove significant barriers that previously limited broker-dealer participation in digital asset markets. Importantly, the FAQ also makes clear (see FAQ #1) that the possession and control requirements of the Customer Protection Rule do not apply to cryptoassets that are not securities.
Significantly, the new FAQ #4 clarifies that proprietary positions in bitcoin and ether are “readily marketable” and, therefore, may be used in the broker-dealer’s net capital computations, subject to the same haircut treatment as other commodities under Appendix B of SEC Rule 15c3-1. This is a substantial concession from the SEC’s previous requirement of a 100% haircut for these cryptoassets. The FAQ also provides helpful analysis on the application of SIPA and transfer agent requirements to crypto assets that are securities.
Terminology and Scoping Questions Remain
Despite providing guidance on custody of cryptoassets by broker-dealers and other regulatory requirements, the FAQ leaves for another day how one should determine whether a cryptoasset is or is not a security. (SEC Crypto Task Force Chair Hester Pierce, in her statement announcing the FAQs characterized them as an “incremental step along the journey”). The FAQ uses the phrase “crypto asset that is a security” throughout the document without definition, leaving market participants to decide for themselves which tokens might fall under this classification.
Determining whether a cryptoasset transaction constitutes an investment contract and thus a security requires a transaction-by-transaction analysis under the Howey test and its progeny. Courts have consistently held that digital assets themselves are not inherently securities, but rather certain offerings, sales, or transactions involving those assets may constitute investment contracts.[1] The FAQ’s terminology does not fully reflect this important distinction, and questions over the meaning of the term “crypto asset securities” continue to linger. The FAQ nevertheless provides important guidance for those cryptoassets clearly characterized one way or the other and sets up “plug-and-play” guidance as the SEC answers the ultimate question of cryptoasset security status.[2]
[1]See, e.g., SEC v. Ripple Labs, Inc., No. 20 Civ. 10832 (S.D.N.Y. July 13, 2023).
[2] See Katten’s Quick Reads coverage of recent SEC staff statements regarding the classification of memecoins, proof-of-work mining, stablecoins here and here.
279 CLASS MEMBERS- $479,000 SETTLEMENT: The Pisa Group to Pay Over $1,600.00 Per Class Member In TCPA Settlement– But This One Is Interesting
Usually I would gripe about a TCPA settlement resulting in a payment of over $1,600.00 a class member. But in this case I kind of get it.
The Pisa Group has been trapped in a TCPA case since 2018.
That’s seven years of litigation in one case.
According to the amended complaint the defendant called Plaintiff repeatedly for marketing purposes without consent and kept calling after stop requests.
Well Pisa Group did not roll over in the case and fought it for years.
But all good things must come to an end *cough* so it elected to settle the claims of 279 people for nearly half a million dollars.
To be clear– they paid way too much for the class they settled. Then again holding plaintiffs counsel to a recovery of just ~$150k in fees for 7 years of work is pretty savage. Those guys have to be in a six figure hole on this. So nicely done!
Still you have to feel for Pisa Group who undoubtedly spent a half million in fees litigating only to pay another half million on top of that. This is not a large company that is out over a million bucks–and seven years of wasted time–on one TCPA case.
This did end up being a remarkable settlement for the class members– they will recover about $800.00 each! Not a bad recovery for someone who didn’t do anything but walk to the mailbox.
Case is Williams v. Pisa Group, 2025 WL 1410665 (E.D. Pa May 12, 2025).
Chat soon.
Is This Harvard Magazine Article Incorrect?
There have been numerous news reports about the discovery of an original Magna Carta at the Harvard Law School Library, including this article in Harvard Magazine. According to these reports, a document previously categorized as a “copy” of the famous charter has recently been determined to be the seventh known original of King Edward I’s 1300 Magna Carta.
Over the years, I have published several posts about Magna Carta, including Section 11 Class Actions And The Magna Carta, Non-Disparagement, The Magna Carta And Yelp, You Might Be Surprised By These Words In Magna Carta, andWhy The Wall Street Journal Is Wrong About The Magna Carta.
I do have two cavils regarding Harvard Magazine’s article. The article asserts:
A group of rebellious barons forced King John to sign it, establishing fundamental rights such as due process and habeas corpus, a legal concept that guarantees freedom from illegal imprisonment.
Not true. King John, aka John Lackland, did not actually sign the charter. He authenticated the charter by affixing his seal.
Second, the article uses the definite article “the” when referring to the charter. The charter was written in Latin, which does not use articles. This mistake can even be found in the California Education Code Section 33540 which requires that the Instructional Quality Commission “consider” incorporating “The Magna Carta” into the history-social science framework developed by the History-Social Science Curriculum Framework and Criteria Committee.
SHOW CAUSE: Verizon’s Choice to Blow Off TCPA Subpoena May Cost It
Quick on for you this AM.
So a guy named Jason Crews brought a TCPA suit in Arizona.
He issued a subpoena to Verizon back in December to obtain records of allegedly illegal calls made to this number.
According to Crews Verizon received the subpoena and simply refused to respond to it– its employees told him “Verizon would not comply because the subpoena was not a court order.”
Hmmmm.
Crews asked the Court to hold Verizon in contempt for failure to respond to the subpoena and also asked the Court to require Verizon to better train it employees.
Well in Crews v. Bermudez, 2025 WL 1411900 (D. AZ May 15, 2025) the Court granted the Plaintiff’s request in part– it ordered Verizon to show up and explain why it had not responded to the subpoena and why it should not be held in contempt.
Eesh.
On the other hand the Court did refuse to issue an order requiring further training of Verizon employees.
Generally speaking it is not a good idea to fail to respond to a subpoena in TCPA cases– or any case really. Federal judges have tremendous power to make your life miserable!
Part 2: Children and Location: Ferguson’s FTC Privacy Enforcement Priorities
While Andrew Ferguson advocates for a restrained regulatory approach at the FTC, his statements and voting record reveal clear priority areas where businesses can expect continued vigorous enforcement. Two areas stand out in particular: children’s privacy and location data. This is the second post in our series on what to expect from the FTC under Ferguson as chair.
Our previous post examined Ferguson’s broad regulatory philosophy centered on “Staying in Our Lane.” This post focuses specifically on the two areas where Ferguson has shown the strongest commitment to vigorous enforcement, explaining how these areas are exceptions to his generally cautious approach to extending FTC authority.
Prioritizing Children’s Privacy
Ferguson has demonstrated strong support for protecting children’s online privacy. In his January 2025 concurrence on COPPA Rule amendments, he supported the amendments as “the culmination of a bipartisan effort initiated when President Trump was last in office.” However, he also identified specific problems with the final rule, including:
Provisions that might inadvertently lock companies into existing third-party vendors, potentially harming competition;
A new requirement prohibiting indefinite data retention that could have unintended consequences, such as deleting childhood digital records that adults might value; and
Missed opportunities to clarify that the rule doesn’t obstruct the use of children’s personal information solely for age verification.
Ferguson’s enforcement record as commissioner reveals his belief that children’s privacy represents a “settled consensus” area where the commission should exercise its full enforcement authority. In the Cognosphere (Genshin Impact) settlement from January 2025, Ferguson made clear that COPPA violations alone were sufficient to justify his support for the case, writing that “these alleged violations of COPPA are severe enough to justify my voting to file the complaint and settlement even though I dissent from three of the remaining four counts.”
In his statement on the Social Media and Video Streaming Services Report from September 2024, Ferguson argued for empowering parents:
“Congress should empower parents to assert direct control over their children’s online activities and the personal data those activities generate… Parents should have the right to see what their children are sending and receiving on a service, as well as to prohibit their children from using it altogether.”
The FTC’s long history of COPPA enforcement across multiple administrations means businesses should expect continued aggressive action in this area under Ferguson. His statements suggest he sees children’s privacy as uniquely important, perhaps because children cannot meaningfully consent to data collection and because Congress has provided explicit statutory authority through COPPA, aligning with his preference for clear legislative mandates.
Location Data: A Clear Focus Area
Ferguson has shown particular concern about precise location data, which he views as inherently revealing of private details about people’s lives. In his December 2024 concurrence on the Mobilewalla case, he supported holding companies accountable for:
“The sale of precise location data linked to individuals without adequate consent or anonymization,” noting that “this type of data—records of a person’s precise physical locations—is inherently intrusive and revealing of people’s most private affairs.”
The FTC’s actions against location data companies signal that this will remain a priority enforcement area. Although Ferguson concurred in the complaints in the Mobilewalla case, he took a nuanced position. He supported charges related to selling precise location data without sufficient anonymization and without verifying consumer consent. However, he dissented from counts alleging unfair practices in categorizing consumers based on sensitive characteristics, arguing that “the FTC Act imposes consent requirements in certain circumstances. It does not limit how someone who lawfully acquired those data might choose to analyze those data.”
What This Means for Businesses
Companies should pay special attention to these two priority areas in their compliance efforts:
For Children’s Privacy:
Revisit COPPA compliance if your service may attract children
Review age verification mechanisms and parental consent processes
Implement data minimization practices for child users
Consider broader parental control features
For Location Data:
Implement clear consent mechanisms specifically for location tracking
Consider anonymization techniques for location information
Document processes for verifying consumer consent for location data
Be cautious about tying location data to individual identifiers
Implement and document reasonable retention periods for location data
While Ferguson may be more cautious about expanding the FTC’s regulatory reach in new directions, these established priority areas will likely see continued robust enforcement under his leadership. Companies should ensure their practices in these sensitive domains align with existing legal requirements.
Listen to this post
What’s That? WhatsApp Creates Legally Binding Contract (UK)
As insolvency practitioners (IPs) it is not unusual to have to consider the terms of a particular contract, whether that is enforcing the terms of that for the insolvent entity or considering the rights of the third party as against the company, and in some cases, it is necessary for IPs to enter into a contract themsleves.
This blog from our colleagues in IP & Technology highlights how easy it can be to (inadvertently) create a legally binding contract – in this case by WhatsApp – standing as a reminder to IPs that exchanges of messages could be relevant when considering a third party contract, but also that care should be taken when exchanging messages so as not to create a binding contract when not intended.
Walking the Talk, Ofcom’s Online Safety Act Enforcement
Back in March 2025, we published an article highlighting that Ofcom will be turning up the heat to ramp up pressure on platforms in relation to their duties to the UK’s Online Safety Act (OSA). There has been a flurry of activity from Ofcom on OSA compliance and it appears that the heat has indeed been turned up.
The First Wave
On 9 May 2025, Ofcom published that it has opened investigation into two services regulated under Part 5 of the OSA, namely Itai Tech Ltd and Score Internet Group LLC. This investigation was initiated as part of Ofcom’s January 2025 Enforcement Programme into age assurance. It appears that some services failed to respond to Ofcom’s request in January 2025 and do not appear to have taken steps to implement measures in line with their duties under the OSA. The duty being Part 5 service providers under the OSA must have highly effective age assurance in place from January 2025.
Less than a week later, on 12 May 2025, Ofcom further published that it is launching additional investigations into Kick Online Entertainment S.A for failing to keep a suitable and sufficient illegal content risk assessment and for failing to respond to a statutory information request.
As outlined in our March 2025 article, platforms were expected to have completed their illegal harms risk assessment by 16 March 2025 and their children’s access assessment by 16 April 2025. The investigation into Kick Online Entertainment S.A is a clear indication that Ofcom will have a direct and serious approach in relation to its OSA enforcement.
It’s Not Over
Ofcom has additionally written to a number of services under Part 3 of the OSA (i.e. user-to-user services and search services) noting the deadline for mandatory age assurance on services that allows pornography or adult content and reminding platforms of their duties under the OSA.
This shows that the initial round of enforcement programmes and investigations are just the beginning for Ofcom and further requests are likely to come, especially as the protection of children requirements come into force, details of which are outlined in our previous article available here.
Ofcom has further opened an enforcement programme into child sexual abuse imagery on file-sharing services so it would be expected that a number of platforms are already in the process of communicating with Ofcom in relation to comply with their OSA duties.
What to do when Ofcom (or anyone else) is knocking at your door
It is clear that Ofcom will not be ignored, if Ofcom writes to you, it is important you respond within the given timeframe. A failure to respond to requests has triggered three published investigations, platforms should be careful and take Ofcom seriously when they write to you, otherwise you may risk being named publicly by Ofcom.
Engagement with Ofcom shows that a platform is taking Ofcom seriously and fosters a cooperative culture. Ofcom has suggested in recent communications that it is willing to work with platforms so as to achieve the wider goal of improving online safety.
Whilst Ofcom is likely to take a pragmatic approach with enforcement, the duties under the OSA and its deadlines are very clear. Ofcom’s approach towards enforcement of this demonstrates a direct and serious approach that platforms should not take lightly. Otherwise, platforms are at risk of paying fines of up to £18m or 10% of global turnover, whichever is higher.
This should also apply to other regulators, such as the Information Commissioner’s Office (ICO), the UK’s regulator for personal data. The ICO have written to a large number of sites seeking a response on cookie banner compliance. Platforms should not ignore these communications or risk similar penalties to the OSA.
Larry Wong also contributed to this article.
The Biggest Misconceptions About Digital Estate Planning
The rise of digital platforms, online accounts, and cryptocurrency has reshaped the role of digital assets in modern estate planning. Digital assets, once an afterthought or a minor footnote in the planning process, now warrant their own conversation entirely. Most estate practitioners have likely become more aware of the need to plan for digital assets.
However, many clients still harbor misconceptions about these assets, which can muddle the planning process, leaving their digital legacies unprotected and their heirs unprepared — and as you know nearly all your clients have digital assets.
Here’s a look at six of the biggest misconceptions your clients may have about the digital side of estate planning, and why addressing them is crucial.
1. “My Will Covers My Digital Assets.”
Many clients believe that simply adding a generic clause about “digital assets” to their will is enough. While this is a good start, a clause alone is inadequate for comprehensive planning. Not to mention, wills are public documents, including sensitive digital information in a will such as account logins, private keys, or other sensitive information can create serious security risks.
Notably, without the proper digital asset authorization language included in a will (and other estate planning documents such as Powers of Attorney and Trust Agreements), fiduciaries acting under these documents, including agents, executors, and trustees, may lack legal access to important accounts and information. In addition, clauses in estate planning documents that permit fiduciary access, also must specifically authorize disclosure of the contents of electronic communications (such as email messages), which are subject to heightened privacy standards. Of course, even if estate planning documents provide fiduciaries with the requisite legal access, this does not equate to actual access without preplanning measures.
Proper planning also requires complementary tools, such as digital asset schedules and inventories, secure password vaults, and language that complies with the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA), a version of which has been passed in the majority of U.S. states.
2. “Digital Assets Will Automatically Be Handled by the Service Providers After I Die.”
Many clients assume that their digital accounts will simply be managed or closed by service providers after they pass away. However, that assumption is likewise wrong. Most online services, including social media platforms and email providers, do not automatically transfer control of accounts to heirs or legal representatives.
While some providers offer account “legacy” services or offer online tools such as Facebook’s Legacy Contact feature—which allows someone to manage a deceased person’s account—many do not. As mentioned above, access to online accounts and certain digital assets by a fiduciary is governed under RUFADAA. Most clients are not aware of RUFADAA or the need to have specific legal instructions and directives in estate planning documents to access digital assets and accounts, if a service provider doesn’t have an online tool. Otherwise, heirs and legal representatives may be completely locked out or require a court order for access. This can lead to legal disputes, delays, and frustration for families already grieving a loss.
3. “I Can Just Give My Passwords to My Spouse or Kids.”
Some clients think a handwritten list of passwords (or even a shared note on their phone) is a sufficient means of transfer. This approach is problematic for many reasons:
Information is easily outdated (passwords change frequently).
How information is stored can create security risks (especially if lost, stolen, or seen by the wrong person, or not transmitted and stored with encryption).
Sharing passwords and login information violates many laws and terms of service agreements.
Estate planners need to guide clients toward secure and legal methods for granting access to their digital accounts and devices — such as using encrypted password managers, for starters. Clients who own cryptocurrency, NFTs and other more sophisticated or sensitive digital information or IP, need to use even more advanced methods to secure these types of digital interests, such as cold storage vaults, which are a form of digital storage not connected to the internet.
4. “Digital Assets Are Not Subject to Probate.”
Some clients incorrectly assume digital assets automatically bypass the probate process the same way some jointly owned assets or payable-on-death accounts do. But unless those digital assets are titled in a trust or handled via an online tool, which is similar to a beneficiary designation on an insurance policy or retirement account, they often do go through probate — and the process for gaining proper access can be expensive and time-consuming. Moreover, if the requisite legal authorizations were not included in estate planning documents, the information that eventually becomes accessible is more limited and does not include the content of electronic communications.
For digital assets, and for a growing number of traditional assets, it is more common for no paper trail to exist due to the rise in online statements and management. And it is becoming harder to even identify what assets exist unless the client has proactively documented them. Finding utility and subscription information, for instance, can be a daunting process that can cause unnecessary delays if preplanning measures are not in place. As digital assets become more ubiquitous, it’s crucial to ensure that even the most basic online accounts are considered as part of an overall estate plan.
5. “My Digital Assets Are Too Small To Worry About.”
It is common for clients to dismiss the importance of digital assets with the belief that their digital accounts and footprint hold no value after they’re gone. The reality is, even non-monetary digital assets can create significant challenges for heirs and legal representatives at death.
Your clients’ digital legacy can hold sentimental value that their heirs may want to preserve — photos, emails, and social media profiles all contribute to a person’s digital story. Ensuring these assets are properly managed is just as important as safeguarding tangible personal relics.
Some of your clients may ask, “What’s the big deal if I forget to close my Instagram account? There’s nothing in it.” But this is a dangerous misconception. While an online account may not have inherent monetary or sentimental value, it can become an entry point for cyberattacks and identity theft and present significant issues and additional time and expenses for heirs and legal representatives.
In the last few years, identity theft of the deceased has been on the rise, resulting in protracted estate administrations and thousands of dollars in additional fees.
Non-financial digital assets can have hidden costs, and the failure to plan for them can lead to administrative headaches and financial burdens for loved ones that can easily be avoided through preplanning measures.
6. “Digital Estate Planning Is Just for Crypto Investors.”
I hear this one all the time. People think “digital assets” and “crypto” are interchangeable. Therefore, digital asset planning must only be relevant to those with significant cryptocurrency holdings or at least a deep understanding of technology. Estate planning professionals should be addressing digital assets for all clients—not just those who are involved in the tech or cryptocurrency spaces. After all, the average person today has around 168 online accounts, including email, social media, online banking, and cloud storage. That list grows daily, for both tech wizzes and luddites alike.
Remember: even if a client dies with no crypto and a negative net worth, their families can still inherit a complex digital scavenger hunt. That’s why virtually everyone needs digital estate planning.
The Bottom Line
If you’re not discussing digital estate planning with your clients in 2025, you’re leaving them — and your practice, potentially — exposed. Digital assets are an integral part of every estate, and planning for them is the only way to ensure a seamless transition of assets, minimize loss, and decrease the likelihood of cybercrimes.
By integrating digital estate planning into your practice, you can provide your clients with the peace of mind in knowing their digital assets are properly protected and will be managed according to their wishes.
This is too important to put off. Don’t let your clients fall victim to these and other common misconceptions — help them plan for their digital future today.
OCC Confirms Banks Authority to Offer Crypto Custody and Execution Services
On May 7, the OCC issued Interpretive Letter 1184, reaffirming that national banks and federal savings associations may provide cryptocurrency custody and execution services, including through sub-custodians. The OCC confirmed that these activities are permissible under existing banking authority so long as banks comply with applicable law and engage in safe and sound practices.
The letter builds upon earlier OCC guidance, including Interpretive Letters 1170 and 1183. Specifically, the OCC clarified the following:
Execution of crypto trades at customer direction is permissible. Banks may buy and sell crypto-assets held in custody or on behalf of customers, so long as the transactions are executed at the customer’s direction and in accordance with the customer agreement.
Outsourcing to third parties is allowed with appropriate oversight. Banks may engage sub-custodians and outsource custody or execution functions, provided they maintain robust third-party oversight practices and ensure proper internal controls are in place.
Crypto custody remains a modern extension of traditional bank custodial services. The OCC reiterated its position that holding crypto-assets is functionally similar to traditional custody services, which fall within banks’ statutory authority.
Fiduciary activities must follow applicable regulations. When acting in a fiduciary capacity, national banks must comply with 12 C.F.R. Part 9 or Part 150 for federal savings associations, including rules on the custody and control of fiduciary assets.
Putting It Into Practice: The OCC’s latest guidance offers banks further regulatory clarity in connection with crypto-related services (previously discussed here and here). Banks considering entry into the digital asset space should track these regulatory shifts closely and ensure their compliance, risk management, and third-party oversight frameworks are equipped to support crypto operations.
Ascension Notifies 430,000 Patients of Data Breach
Healthcare system Ascension has notified 437,329 patients of a data breach exposing “demographic information, such as name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers, as well as clinical information related to an inpatient visit.”
Ascension indicated that the incident occurred when it “inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner.”
Ascension is offering affected individuals two years of free identity monitoring, including credit monitoring, fraud consultation, and identity theft restoration.
The VPPA: The NBA and NFL Ask SCOTUS to Referee
On April 22, 2025, the National Football League (NFL) filed an amicus brief asking the United States Supreme Court to take on a Video Privacy Protection Act (VPPA) class action case against the National Basketball Association (NBA). In my last post, we covered a recent VPPA lawsuit against a movie theater company and reviewed the provisions of the Act. In recent years, we analyzed how plaintiffs have applied the VPPA outside of traditional video contexts. This week, we dive deeper into a VPPA case against the NBA and explore the NFL’s amicus brief supporting the NBA’s position, asserting why the Act should not apply in the modern video streaming context, particularly for sports leagues.
Case Background
In the case against the NBA, the plaintiff alleged that they subscribed to the NBA’s newsletter and watched free videos on its website while logged into their Facebook account. In doing so, the NBA reportedly shared their personal viewing information with Facebook via the Meta Pixel tracking technology. The plaintiff asserted that they were a “subscriber of goods and services” and therefore met the definition of a consumer under the VPPA. See Salazar v. Nat’l Basketball Ass’n, 118 F.4th 533 (2d Cir. 2024).
To recap, the VPPA prohibits a video tape service provider from knowingly disclosing a consumer’s personally identifiable information—including information identifying a person as having requested or obtained specific video materials or services from a video tape service provider—to a third party without the consumer’s express consent. A “video tape service provider’ is defined as someone “engaged in the business … of rental, sale, or delivery of prerecorded video cassette tapes or similar audiovisual materials,” and has been interpreted to apply to video streaming service providers. A “consumer” refers to a renter, purchaser, or subscriber of goods or services from a video tape service provider.
In October 2024, the Second Circuit held that the plaintiff was the NBA’s consumer under the VPPA, interpreting that the term “consumer” should include an individual who rents, purchases, or subscribes to any of a provider’s goods or services, not just those that are audiovisual. The Second Circuit also concluded that even though the NBA may have obtained only the plaintiff’s name, email, IP address, and cookies associated with their device, the provision of such information in exchange for receiving services constitutes a “subscription.” Further, the Second Circuit also held that the VPPA applies even for videos accessed on a public page that does not require a sign-in for exclusive content.
The NBA filed a petition for certiorari, requesting the Supreme Court to review the Second Circuit’s decision.
The NFL’s Amicus Brief
The NFL’s amicus brief highlights that the Second Circuit is not alone in this broad interpretation of the VPPA. The Seventh Circuit has also held that a plaintiff need not have rented, purchased, or subscribed to the defendant’s audiovisual goods or services to qualify as a consumer under the VPPA, but that any goods or services are sufficient. However, the Sixth Circuit has held to the contrary, reasoning that the definition of “consumer” in the statute does not encompass consumers of all goods or services imaginable, but only those offered in a video tape service provider context. The NFL supports the latter position.
The NFL warns that the “explosion of VPPA class actions” is a concern for content providers like the NBA and NFL, who risk “massive liability” that was “unforeseen by Congress” when the VPPA was enacted in 1988. According to the NFL, tracking technology is “ubiquitous” and “makes much of the content on the Web free.” The NFL warns that if online content providers face such liability, “many content providers would be forced to pursue alternative sources of revenue as a result of the reduction in targeted advertising revenues,” which may result in consumers paying for currently free applications and services.
For sports leagues specifically, the NFL asserts that these organizations often have “hundreds of millions of fans,” many of whom purchase or rent non-audiovisual goods and services that would qualify them as a consumer under a broad interpretation of the VPPA. For example, a fan who bought tickets to a sports game or purchased league apparel through the NBA or NFL website, who then happened to watch a free video on the league’s website while logged into Facebook, may be considered a consumer, and could seek VPPA damages.
The NFL also asserts that there is no real harm to VPPA plaintiffs because using pixels is not a secret and that “consumers are well aware that enabling the use of cookies permits personalized advertising.” The NFL emphasizes that the plaintiff in the NBA case admitted they could have seen that the NBA was using the Meta Pixel by viewing the code on the NBA’s website. In addition, Meta’s Cookie Policy informs users that it may obtain information from third parties. Therefore, the NFL also questions consumers’ standing for such VPPA suits based on no real harm.
Last year, plaintiffs initiated over 250 VPPA lawsuits. Yet, the circuit split still leaves open the question: Who qualifies as a consumer under the VPPA in this modern video streaming context? The NBA, with support from the NFL, has punted the question to the Supreme Court. If the writ of certiorari is granted, we might find the ball in SCOTUS’ court.