"Operation Chokepoint 2.0":
De-banking policies and the adverse use of reputational risk in bank supervision

The power to regulate—in addition to the power to tax—is the power to destroy."

Peter Wallison, Judicial Fortitude (2018)

As we have previously noted, we expect that the second Trump Administration will be significantly more favorable to crypto than the Biden Administration, especially with the recent appointment of David Sacks as the Administration's "Crypto Czar." We anticipate that in short order the new Administration will address "de-banking," a regulatory practice that has vexed the digital asset industry—and banking in general—over the last several years. In this context, "de-banking" means canceling banking services to crypto entities and individuals associated with them or crypto activities. It is a practice that has been sharply criticized and has become even less comprehensible as the digital asset industry has matured and embraced (indeed, has sought) reasonable regulation. In the last several days the attention paid to this issue has increased sharply as a result of comments by Marc Andreessen on the Joe Rogan podcast.

Regrettably, the de-banking problem is not new. De-banking crypto is simply the latest variation of regulators using vague and amorphous standards to supervise bank conduct through the subjective lens of what the federal banking agencies call "reputational risk."

Below we discuss how we got here and some ways forward.

Bank Supervision Takes an Unmarked Path – The Implementation of "Reputation Risk"

Prior to the mid-1990s, bank supervisors did not specifically regulate reputation risk. Their primary focus was on the fundamental components of safety and soundness, capital, credit and market risk. However, the OCC and the Federal Reserve both began to develop new "risk focused" supervisory approaches. Each banking regulator developed its own list of risks, but each chose to include "reputation risk." Over time, the regulators broadened the list of "stakeholders" who might be impacted by reputation risk to include not only customers and the community, but counterparties, correspondents, investors, employees and the regulators themselves.[1] Remarkably, the Federal Reserve explicitly noted that "negative publicity" could qualify as a reputation risk, even if it was not true.[2]

Thus, without notice or comment, in 1996 the bank examiners modified the centerpiece of bank supervision, the CAMELS (Capital adequacy, Asset quality, Management, Earnings, Liquidity and Sensitivity [to interest rate changes]) rating system, created in 1979 to measure a bank's financial condition and operations, that is, its safety and soundness. Now, however, the regulators changed the banks' scorecard to also include reputational risk as part of both the asset quality and management ratings. This change would have sweeping consequences for both banks and their customers.[3]

The Origins of De-Banking: "Operation Choke Point" (2013–2017)

De-banking first arose in the Obama Administration when legal but politically disfavored businesses with activities involving payday lending, firearms, tobacco, fossil fuels, among others, began to receive negative attention from federal banking agencies. Examiners encouraged banks to end their relationships with these businesses, thus "choking" them off from the financial system.

While originally rooted in an initiative led by the Department of Justice, this practice became known in the industry as "Operation Choke Point" ("OCP 1.0"). OCP 1.0 was essentially governed by bank regulators' subjective perceptions of which businesses were unsavory and, therefore, might pose so-called "reputational risk" to banks that had them as customers.

It had two general components: (1) agencies would publish informal guidance, and (2) exert pressure on banks within the highly confidential confines of examinations.[4]

Reputational risk is an amorphous tool

The concept of reputational risk is not consistently clear or based on objective indicia. Reputational risk is thought of as ancillary to credit risk, operational risk and other primary risks managed by banks. But because of its mutable nature, reputational risk is present in every facet of banking.[5] In short, regulators can find reputational risk almost wherever they choose to look.

It was ripe for use in a program of de-banking.

Bank ratings

Reputational risk is not necessarily tied to a violation of law but often arises in connection with Matters Requiring Attention ("MRAs"), which are both issued and resolved outside of the public view and can prompt a downgrade in a bank's Management rating as part of the bank's overall CAMELS scorecard. Even if all other rating elements are strong, an unsatisfactory management rating may affect the bank's ability to engage in acquisitions, engage in certain activities, or add branches – any or all of which can drive fundamental changes to a bank's strategic plan. These kinds of ratings downgrades are effectively unappealable (appeals processes exist, but chances of success are rather low). For banks, such downgrades are to be avoided at all costs. That, of course, provides tremendous leverage to bank examiners to dictate their desired results. Indeed, the Bank Policy Institute recently opined that "[e]xaminers use the 'M' in 'CAMELS' as a weapon to dictate bank behavior."

In Congressional testimony on July 15, 2014, former FDIC Chair William Isaac described OCP 1.0 as "one of the most dangerous programs I have experienced in my 45 years of service as a bank regulator, bank attorney and consultant, and bank board member." He went on to note that: "No one really knows what reputational risk means beyond the fact that a bank is doing something that a regulator doesn't like but can't quantify in terms of risk under the CAMELS rating system. This development has been a major factor in shifting the banking agencies from their primary role as guardians of the safety and soundness and stability of the financial system to amorphous financial social welfare agencies."

Confidential supervisory information

Supervisory scrutiny takes place out of public view, primarily through the issuance of non-public FIRREA subpoenas (from the DOJ) and through implied or express threats to issue MRAs and downgrade CAMELS ratings (from prudential regulators). These decisions and the communications surrounding them fall under Confidential Supervisory Information ("CSI") protections. CSI includes reports of examination and inspection, confidential operating and condition reports, and any information derived from, relating to, or contained in them and any documents prepared by, or on behalf of, or for the use of the agencies.[6] It essentially covers any examination activity. Regulators consider CSI their property, and the unauthorized disclosure of CSI is prohibited and punishable as a felony.[7]

Under this veil of secrecy, the federal banking agencies could pursue a policy of de-banking while publicly stating that they neither prohibit nor discourage banks from doing business with any specific industries or businesses.

Reputational risk is an unclear standard and involves an unfair process

Because regulators list themselves as among the so-called "stakeholders" to whom reputational risk is relevant, any finding of reputational risk is—by definition—nearly indisputable.

Thus, operating in secret, bank examiners have used reputational risk to achieve policy goals to penalize unfavored industries or individuals without the individuals having either any effective recourse or even knowledge as to why they were de-banked.

In effect, this ignores an individual's right to make a living in the conduct of a legal business, which in modern society is tied to access to financial services.[8] There is a complete absence of any process allowing an individual to contest such a decision. Other critics maintain that this practice also violates the Administrative Procedure Act ("APA") because it acts as a sotto voce alternate for rulemaking.

OCP 1.0 Is Challenged in Court

In 2014, OCP 1.0 was challenged in the U.S. District Court for the District of Columbia by a trade association of payday lenders which sued the FDIC, the OCC and the Federal Reserve.[9]

While denying the APA claim, the court ruled that plaintiffs had stated an appropriate due process claim under the Fifth Amendment. The court found that the plaintiffs' interest in conducting a legal business was protected as an interest in property. The court noted that the stigma applied by the regulators which caused plaintiffs to lose their bank account was a colorable allegation of a property interest in a bank account which was sufficient to support a due process claim.[10] The court found that "where a person's good name, reputation, honor, or integrity is at stake because of what the government is doing to him, notice and an opportunity to be heard are essential."[11]

Congressional Review and Criticism of OCP 1.0

At the same time, Congressional and trade group criticism of OCP 1.0 substantially increased, with senior legislators such as Rep. Jeb Hensarling issuing warnings that the newly defined concept of reputational risk could easily "be invoked to compel a depository institution to sever a customer relationship with a small business operating in accordance with all applicable laws and regulations, but whose industry is deemed reputationally risky for no other reason than it has been the subject of unflattering press coverage, or that certain executive branch agencies disapprove of its business model[,]" while others described it as an "illegal and abusive practice." And, in a highly critical staff report issued in May 2014, the Committee on Oversight and Government Reform concluded that OCP 1.0 forced banks to terminate relationships with a wide variety of entirely lawful and legitimate merchants and that the Justice Department lacked adequate authority for the initiative. Ultimately, this pressure caused the FDIC to amend its guidance on these matters, in 2017 the Justice Department informed Congress it was ending OCP 1.0, and the civil litigation was ultimately resolved during the Trump Administration in 2019.

However, while this may have appeared to be a win for plaintiffs and for those affected, there was no lasting accountability for this regulatory misconduct for the federal banking agencies.

Negative Impact of Reputational Risk on Banks

The intensified use of reputation risk also had a negative impact on banks themselves because it inserted bank examiners into the actual business of managing a bank as opposed to supervising risks to a bank's safety and soundness. And this was done in ways for which, as noted above, most banks were powerless to object. The Bank Policy Institute ("BPI") commented on this non-public regime in 2017, 2020, and again in 2024.

• In 2017, BPI noted that reputational risk is "rarely, and likely never, a safety and soundness risk."
• In 2020, BPI observed that examining for reputational risk can devolve into "examination as political consulting."
• That theme was expanded on in 2024 when BPI opined that bank examiners have expanded their supervisory powers to the point that it "is subject to no checks and balances" and "operates in secret based on the varying views of individual examiners, and the agencies have created their own enforcement regime, not based on rule or law, to impose significant penalties on banks that do not follow their mandates. These penalties can be severe and greatly affect the ability of banks to run their business; they range from limits on the business growth, orders to divest from certain lines and customers, denials of mergers and acquisitions and increases in deposit insurance fees, among other things."

Adding to the challenge, the federal banking agencies can pursue these actions without direct, written orders or other directives. According to Professor Todd Zywicki (of George Mason University's Antonin Scalia Law School), "What banks understand is the government just doesn't make suggestions. When the government suggests something, everyone understands that's an order, and that's how banks respond."[12]

The 2024 BPI article further examines how reputational risk enables bank examiners to abuse their power: "Today's examiners are using the examination process to push banks out of legitimate activity that benefits economic growth.… [B]ank examiners now feel empowered to tell individual banks how to run their businesses by shedding business lines or clients as they have a strong incentive to find problems and prevent banks from taking risk."

For instance, through AML examinations, agencies "can designate certain industries or companies [such as crypto] as 'high risk,' a designation that comes with so high a compliance burden as to force the bank to expel the customers from the bank." And this conduct is not limited to politically unpopular businesses as noted above. In fact, examiners also have pushed banks out of the mortgage servicing business, leveraged lending, synthetic risk transfers, and relationships with third-party non-bank service providers.

Ripple effect

The misuses of reputational risk and de-banking are by no means restricted to the crypto community. Banks are in the business of making loans that are safe and sound and which stimulate economic growth. Outside of financial crimes, sanctions and related contexts—when regulators interpose themselves between a bank and its customers by, in effect, telling banks which customers it may or may not bank, all parties suffer. Moreover, there is little predictability or logic to the regulators' decisions, and therefore they are not helpful to industry participants looking to understand the contours of permissible activities and other articulated policies.

What Is Old Is New Again—OCP 2.0 (2021-2024)

Without lasting accountability for the agencies[13] and with the encouragement of the Biden Administration, these same tools were available when federal banking agencies perceived the rising popularity of digital assets as a threat. Enter what has become known colloquially as "Operation Choke Point 2.0" ("OCP 2.0").

Even after the collapse of OCP 1.0, the bank regulators leveraged their supervisory powers to effectively direct bank conduct in ways that have been difficult to counter.

As a general matter, banks have been more thoroughly supervised, and kitchen-sink enforcement actions that look at every and all issues—not necessarily those on a risk basis—have predominated. Within supervision, banks have been instructed by agencies to terminate third-party service provider relationships. Not complying in supervision risked public enforcement consequences.

There has been a recent outpouring of alleged examples of de-banking followed on social media by commenters involved in the digital asset industry—as well as the fintech industry more broadly. These commenters claim that they were not only de-banked but were denied access to products such as payment services and card processing.

Some observers also claim that the overall de-banking effort in OCP 2.0 had a direct connection to the failure of both Silvergate Bank and Signature Bank, both of which had provided significant services to the crypto industry through their respective 24/7 crypto settlement layers, SEN and SigNet.

For instance, there are those that believe Silvergate was fatally crippled by the imposition of a non-public "cap" on crypto deposits of 15%, which made its business model non-sustainable. (Or, as described in a more anodyne fashion in Silvergate's Chapter 11 filings: "the Federal Bank regulatory agencies would not tolerate banks with significant concentrations of digital asset customers, ultimately preventing Silvergate Bank from continuing its digital asset focused business model.")

Signature Bank was put into receivership while still solvent, over the protests of its board member, former House Financial Services Committee Chair Barney Frank, who opined that Signature's closure was "just a way to tell people, 'We don't want you dealing with crypto.'" Remarkably, the FDIC refused to sell off Signature's crypto-focused deposits or its SigNet product, contrary to its policy of maximizing value for taxpayers and minimizing costs to the Deposit Insurance Fund by selling assets at the best possible prices.

Notably, other crypto-friendly banks and their customers, were subsequently targets of regulatory action. Moreover, OCP 2.0 may provide an explanation for why the OCC denied national trust bank charters (via expiration of time) to both Protego and Paxos after they had been conditionally approved, and why after Anchorage Trust Bank received the final approval of its charter, it was the recipient of an extensive OCC consent order. OCP 2.0 may also be connected to the denial of Fed Master Account services (ACH/Fed Wire) to state-chartered novel institutions like Custodia Bank (a special purpose deposit institution chartered by Wyoming). The message was simple: banks and crypto are not to be mixed. In 2023, the regulators briefly saluted to the concept that banks "are neither prohibited nor discouraged from providing banking services to customers of any specific class or type ..." while at the same time stating that the issuing or holding of crypto assets "… is highly likely to be inconsistent with safe and sound banking practices."

Nonetheless, understanding regulatory actions in this space requires a balanced approach. There is no question that digital assets carry risk, and that regulation has a crucial role to play in ensuring that fair disclosures are made regarding those risks, and practical measures are implemented to combat money laundering, terrorism financing, and related criminal activity. However, friction has arisen regarding how to achieve these goals in a way that is consistent with the beneficial features of this new technology and its opportunities. Fortunately, proposed rulemaking and legislative solutions are already part of the public record, and they can provide a solid foundation on which to build a workable and reasonable program of regulatory oversight and compliance.

OCP 2.0 appears to have been broader and more coordinated than OCP 1.0 and may ultimately prove more difficult to unwind. Below we examine some of the tools used by the federal banking agencies in their de-banking efforts.

Removal of Protections

1. Fair Access Rule. Under Acting Comptroller Brian Brooks, on January 14, 2021, the OCC promulgated the "Fair Access Rule" which not only implemented language included in Title III of the Dodd-Frank Act concerning the OCC's mission but required covered banks to make the products and services they choose to offer available to all customers in the communities they serve based on consideration of quantitative, impartial, risk-based standards established by the bank. The OCC considered over 35,000 comments and suggestions. In announcing the rule, Acting Comptroller Brooks stated "banks should not terminate services to entire categories of customers without conducting individual risk assessments. It is inconsistent with basic principles of prudent risk management to make decisions based solely on conclusory or categorical assertions of risk without actual analysis. Moreover, elected officials should determine what is legal and illegal in our country," not unelected officials.

   Immediately upon taking office, the Biden Administration prevented the publication of the Fair Access Rule in the Federal Register and then "paused" it indefinitely.

2. Interpretive Letters. During the latter half of 2020, the OCC had issued several interpretive letters favorable to banks providing certain crypto services, specifically Interpretive Letters 1170, 1172, and 1174. In November 2021, the OCC's new chief counsel issued Interpretive Letter 1179 "clarifying" the prior three interpretive letters. While stating that these activities remain permissible, it added that a bank must notify its supervisory office of its intention to engage in these activities and may not engage in them until it receives a supervisory non-objection. In essence, the OCC appointed itself as gatekeeper for all crypto activities, even permissible ones. That, in effect, meant that no crypto activities would go forward. The FDIC and the Federal Reserve soon issued similar policies.

   Notably, the crypto exchange Coinbase sued the FDIC to receive letters related to its FOIA request about letters the FDIC sent to banks asking them to pause all their crypto activities. These were produced in early November 2024, and they indicate 23 separate instances in which the FDIC's regional offices in New York, Chicago, Kansas City, Dallas and San Francisco asked banks to either pause their crypto activities or to "not proceed" with certain planned activities. This was confirmed (at p. 58) in the October 2024 FDIC's OIG's Semi-Annual Report.

3. Accounting Rules. Prior to OCP 2.0, banks that held client assets in trust were not required to account for those assets on their balance sheets: the assets do not belong to the bank. However, clients began asking their registered investment advisors ("RIAs") to invest client funds in a variety of crypto assets. Under SEC rules, the RIA must maintain these client funds and securities with a "qualified custodian," such as a bank. Without engaging in any notice and comment process, the SEC promulgated Staff Accounting Bulletin 121, which requires that entities acting as qualified custodians for digital assets record on their balance sheets liabilities in an amount equal to the fair value of the digital asset which they are holding in custody along with a corresponding asset for the same amount. That, in essence, made it overly burdensome for most banks to serve as qualified custodians for RIAs holding crypto assets, thus further limiting the ability of such assets to enter mainstream finance.

   Even major banks objected to this change in accounting treatment, noting that it was "a departure from accounting standards and the historical practice of treating custodial assets as off balance sheet … [which] effectively precludes banks from offering digital asset custody at scale…." Remarkably, the GAO ruled that SAB 121 was a "rule" under the APA which should have been submitted for approval under the Congressional Review Act ("CRA"). Despite the passage of bi-partisan resolutions of disapproval in both Houses under the CRA, that effort was vetoed by President Biden.

4. Denying access to Federal Reserve payment services. Banks have typically been able to apply to the Federal Reserve for access to its payments services, including the use of ACH and Fedwire services. These services are critically important because without them, banks are unable to move money other than through a correspondent bank, which adds friction like time and costs.

   Over several years, Wyoming developed a new form of state-chartered bank, a special-purpose depository institution. The first bank to secure such a charter was Custodia Bank, having passed all the state requirements for issuance of a charter including the adoption of extensive risk management policies and procedures.

   Applications to the Federal Reserve for access to its services were typically a straightforward matter. Despite close engagement with the Federal Reserve Bank of Kansas City during its chartering process, Custodia Bank waited for more than a year for the Federal Reserve to act and ultimately filed suit to compel issuance of a Master Account. While Custodia Bank passed the motion to dismiss hurdle, it was unsuccessful at the summary judgment level. The matter is now on appeal to the 10th Circuit. Again, the message was clear. Despite the fact that access to Federal Reserve services is not prohibited to crypto banks by statute or by rule, the Federal Reserve apparently does not want a crypto bank to have such access.

A Way Forward

The actions of the federal banking agencies under OCP 2.0 have damaged the digital asset and blockchain business in the United States. For the last two to three years an atmosphere of fear has pervaded the industry as regulators have sought to de-bank industry participants, including individual investors. Subsequent to his podcast comments, Marc Andreessen characterized OCP 2.0 as "trickle down privatized domestic sanctions." The message of OCP 2.0 has been clear: stay away from crypto and you will not be bothered.

That policy is about to change. And while prior harm cannot be undone, there are a number of practical steps the second Trump Administration and Congress can take to ensure that the prior policy is quickly reversed and does not come back. Given the complexity and secretive nature of supervision to accomplish OCP 2.0, comprehensive remedies are needed—more than passing a law or issuing new agency policies. In the end, lasting change will be grounded in accountability and transparency. We set forth below a few of those steps and encourage our readers to offer others:

• Publish the Fair Access Rule on January 21, 2025 in the Federal Register. This will fulfill the policy requirements of the Dodd-Frank Act and will level the playing field. Moreover, a Fair Access Rule could be extended to the FDIC and the Federal Reserve.
• Restore transparency. Lift the curtain with respect to what actually happened in OCP 2.0. Drop all objections to existing FOIA requests. Use agency Regulatory Reform Officers and Regulatory Task Forces (assuming they are revived by the Trump Administration) to establish the actual record. Require the senior legal officer or the Inspector General of each federal banking agency to report on these efforts promptly. Impose penalties for bad faith resistance to FOIA requests (similar to anti-retaliation statutes binding government agencies). Launch a major and comprehensive report on OCP 2.0, led by the new "Crypto Czar."
• Remove the regulatory gatekeeping function. Amend (or repeal) OCC IL 1179, FDIC FIL-16-2022 and FRB SR 22-6, as well as the Interagency Joint Statements on crypto risks issued January 31, 2023, and February 23, 2023, to make clear that these standards are not intended to be an insurmountable barrier to reasonable compliance efforts.
• Form a partnership between the banking and digital asset industries. These industries could work together to reform the use of "reputational risk" and minimize (or eliminate) its impact on CAMELS ratings. The new Administration could begin with an Executive Order mandating the removal of all opaque references to reputational risk from examination manuals to be replaced with objective safety and soundness standards and measurements. (In fact, the time may be right for a complete re-thinking of the 45 year old CAMELS system.)
• Develop a new standard to govern potential account closures that are not related to national security concerns or to criminality. For instance, a challenged account could remain open but subject to enhanced monitoring for a set period such as six months. The customer pays a fee for the cost of the enhanced review. If after that period there are no grounds to close the account, the fee is returned plus a reasonable market interest.
• Provide reasonable notice of account closures. This would include an opportunity for the customer to respond/appeal.
• Enhance communication. Require agencies to hold public meetings with industry leaders every six months to receive feedback about the supervisory process. Appoint an interagency "Innovation Council" to develop programs (e.g., "sandboxes") to both educate the agencies and develop programs to foster safe and sound innovation, enabling the U.S. to catch up to countries like Brazil, Nigeria and Singapore that already have launched such programs.
• Acknowledge items of "guidance" that are actually rules and make standards more objective. Direct a review and identification of past "guidance" on this subject (e.g., FIL-41-2014) that amounts to rules under the APA or CRA and require that they go through the appropriate processes. Require that any rulemaking on what constitutes reputational risk uses objective standards, particularly with regard to the assessment of the "Management" component of the CAMELS rating. Analyze how bank supervision has developed since the advent of "reputational risk" and report publicly on which practices amount to rulemaking subject to the APA and the CRA.
• Other considerations. The new Administration could consider new Executive Orders and banking agency policies to implement the changes noted above, including a prohibition against using any rule which should have been submitted for notice and comment under the APA and to Congress under the CRA but was not. It could also consider damages and restoration of the status quo for those entities damaged by OCP 2.0, as well as settling outstanding litigation in a manner that preserves safety and soundness but permits innovation. It could also explore liberalizing exceptions to CSI rules when there are allegations of inappropriate examiner conduct, as well as whether CSI must in fact be treated as so confidentially. Revising the supervisory appeals processes for meaningful relief could also help a great deal.
• Congressional actions to support the new Administration's actions.
  • As suggested by Rep. French Hill, commence an investigation by appropriate Senate and House Committees, using the subpoena power if necessary, to secure testimony from responsible officials.
  • Re-introduce and pass legislation empowering victims — such as enhanced versions of the "Financial Institution Customer Protection Act of 2019" (Rep. Blaine Luetkemeyer) or the "Saving Privacy Act" (Sens. Mike Lee and Rick Scott) — including a private right of action for those institutions and individuals harmed by illicit government activity.
  • Acknowledge the uniqueness of digital assets and blockchain and hold hearings on the development of a "Digital Asset Commission" whose sole responsibility would be the development rules for crypto issuers and exchanges and the banks that serve them.

Future Corrective Policy

OCP 2.0 was harmful for the U.S. financial system—innovation, investments, customers, and careers. It grew from vague and malleable policies adopted without public input and only loosely connected (if at all) to bank safety and soundness. Over time, it metastasized into an instrument of government-management of industries and technologies, even legal ones.

The good news is that this can be fixed by the implementation of objective supervisory standards—subject to public notice and comment—focused on the safety and soundness of institutions supervised and retuning to bank management and boards their proper role as stewards of the institutions' reputation. Pendulum swings on safety and soundness, innovation, and which lawful citizens and businesses should get bank accounts are not in anyone's interest.

OCP 2.0 was the outgrowth of OCP 1.0. It has had the markings of an experiment ("test and learn") to see how much protean authority government could exercise in the absence of effective review or accountability. Strong, bold, and broad policy steps such as those suggested above should be taken to ensure it does not reoccur.