--- title: The 72-Hour Bank-Account Closure Response Protocol for Regulated Crypto Firms slug: bank-closure-72-hour-protocol publishedAt: 2026-05-24T10:00:00Z author: Finconduit Editorial Team tags: PSD2, EMD2, AML, MiCA canonicalUrl: https://finconduit.com/resources/bank-closure-72-hour-protocol --- # The 72-Hour Bank-Account Closure Response Protocol for Regulated Crypto Firms Hour-by-hour protocol for the panic window after a bank closure notice: containment, parallel activation, migration, and regulator notification. The closure notice arrives by email at 16:42 on a Thursday. By 17:00 the CEO has been told, by 17:30 the WhatsApp groups are lit, and by 22:00 the firm is still discussing whether to call the bank back. By the time anyone runs a treasury sweep it is Friday lunchtime and 48 of the 72 useful hours are gone. This is the pattern. Most **regulated crypto firms** — **CASPs**, **VASPs**, **EMIs** — spend the first 72 hours after a closure notice **reacting** when they should be **executing**. The survivors do not improvise. They run a pre\-built, hour\-by\-hour protocol that they wrote in calm weather. This guide is that protocol. It covers the **72\-Hour Closure Response Protocol** in three 24\-hour phases — **Containment**, **Parallel Activation**, and **Migration & Notification** — and it covers the asset pack you must have in the drawer before any notice ever arrives. If your firm cannot answer *"what happens in the first hour?"* without a meeting, you do not have a protocol — you have a vulnerability. ## Why 72 Hours Is the Window That Matters Bank closure notices in the EEA and UK typically give **60 days** of formal notice under **PSD2 Art. 79** for payment account termination, but the operational reality is much tighter. Within 72 hours of a notice landing, three things happen that compress the real window. First, **inbound and outbound payment rails** begin to throttle — debit\-card transactions get declined, SEPA Instant fails, correspondent banks de\-prioritise the BIC. Second, the **news leaks** internally and externally. Third, the **backup bank's onboarding queue** fills up if you wait. PSD2 may give you 60 days on paper, but [PSD2](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366)¹[^1] is silent on what the bank can quietly stop doing in week one. Regulators measure you by the first 72 hours as well. The **FCA** expects **prompt notification** of any event that materially affects the firm's ability to meet its threshold conditions, and **customer\-fund safeguarding** obligations under **EMD2 Art. 7** are continuous, not retrospective. Lose the account and lose continuity simultaneously, and your supervisory file gets a permanent mark. > **Warning:** The 72\-hour window is not a regulatory deadline — it is an operational one. By Hour 72, payment rails are degrading, customer complaints are spiking, and the backup bank's queue position is set. The firms that survive a closure are the ones that finished migration before the notice period legally required them to. ## Hour 0–24: Containment The first 24 hours are about **stopping the bleeding**, not solving the problem. Containment has five workstreams that must run in parallel — not sequentially. ### Acknowledge the Notice in Writing Within **the first 2 hours**, reply to the closure notice in writing. Acknowledge receipt, request the **specific clause** of the framework agreement under which the bank is acting, ask for a named single point of contact, and request the bank's **wind\-down timetable** \(when do cards stop working, when does the IBAN cease accepting credits, when is the final transfer window\). This is not a negotiation letter. It is an **evidence\-creation letter**. The written exchange becomes part of your audit file, your regulator\-notification pack, and — if it comes to it — your dispute file under the **Payment Account Switching Regulations**. ### Triage the Reason The reason for closure determines everything that follows. Banks rarely give a clean reason in writing — the notice will usually cite *"commercial decision"* or *"risk appetite"* — but the real driver maps to one of six categories listed in the closure\-reason table below. Your **MLRO** should make a written assessment of the most probable reason within Hour 6, because the assessment changes the regulator\-notification strategy. ### Activate Customer\-Fund Protection If you hold **safeguarded customer funds** at the closing bank, customer\-fund protection is the single most urgent workstream. Under [EMD2 Art. 7](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32009L0110)²[^2], safeguarded funds must remain continuously segregated. Movement to a non\-safeguarding account, even briefly, breaches the obligation. By **Hour 12** you must have confirmed: \(a\) the closing bank's safeguarding\-account closure date, \(b\) the backup safeguarding bank's same\-name account is **open and credit\-ready**, and \(c\) the new safeguarding letter is signed. If your backup is a **specialist crypto\-native EMI** or **BaaS sponsor bank**, confirm their safeguarding model in writing — not all sponsors offer a true segregated safeguarding pool. ### Inform the MLRO and Legal The **MLRO** must be notified within Hour 1 — not because closure is itself a reportable event, but because the closure may be **SAR\-adjacent**. If the bank is closing because of a transaction monitoring alert, the MLRO needs to know now to assess whether internal escalation or a fresh **SAR** is warranted. Legal counsel \(internal or outside\) must be looped in by **Hour 4** to review the notice against the framework agreement, assess any potential **breach\-of\-contract** angles, and prepare the customer\-communications language under the GDPR and consumer\-protection lens. ### Decide on Regulator Notification Regulator notification is rarely a same\-day decision, but the **decision framework** must be opened in Hour 0–24. Under [SYSC 4](https://www.handbook.fca.org.uk/handbook/SYSC/4/)³[^3], an FCA\-authorised firm must notify the regulator of anything that materially affects its ability to meet threshold conditions. Loss of a banking partner usually does. The question is timing and framing — and you want that decision documented before the second sleep. > **Tip:** By the end of Hour 24, you should have: a written acknowledgement to the bank, an MLRO assessment of the closure reason, a customer\-fund protection plan with a backup safeguarding account confirmed, legal counsel engaged, and a written regulator\-notification decision \(notify now, notify on activation, or notify on migration completion\). ## Hour 24–48: Parallel Activation The second 24 hours are when the **pre\-built backup** earns its keep — or its absence becomes the central crisis. Activation has four parallel workstreams. ### Trigger the Pre\-Built Banking Backup By **Hour 30**, send the activation email to your backup banking partner. The activation email should reference the existing **Memorandum of Understanding** \(MoU\) or framework agreement, confirm the expected first\-credit volume and date, request expedited limit increases, and ask for a named relationship manager to be assigned to the migration window. If you do not have an MoU in place, Hour 30 becomes **new\-bank onboarding from a cold start** — a process that typically takes **3–6 months** for a **Tier\-1 EU clearing bank** and **6–10 weeks** for a specialist EMI. Neither timeline survives a 72\-hour window. ### Reconfigure Payment Rails Every system that touches the closing IBAN must be reconfigured. The inventory typically includes: card\-acquirer settlement accounts, **SEPA** direct\-debit mandates, payroll BACS files, treasury sweep rules, on\-ramp/off\-ramp partner accounts, and **SWIFT** correspondent routing tables. The [EBA Guidelines on de\-risking](https://www.eba.europa.eu/regulation-and-policy/anti-money-laundering-and-countering-financing-terrorism/guidelines-policies-and-procedures-de-risking)⁴[^4] make clear that credit institutions should not de\-risk entire categories of customers without an individual assessment — but the guidelines do not prevent closure of individual accounts. Reconfiguration is your problem, not the bank's. ### Customer Communications Standby Customer communications should be **drafted but not sent** in Hour 24–48. Premature notification creates a deposit run; late notification creates a complaints surge. The target is to send the customer email simultaneously with the IBAN cutover in Hour 48–72. The communication must include the new IBAN, the cutover date, what action \(if any\) the customer needs to take, and a statement that **client funds remain safeguarded** throughout the migration. The MLRO and legal counsel sign off the language before send. ### Treasury Movement Plan By **Hour 36** the treasury team must have a written movement plan: how much moves first, in what currency, via which corridor \(SEPA Instant, SWIFT MT103, internal book transfer\), with what daily limit ceiling, and which counterparty bank is signing for the receipt. For firms with **multi\-currency treasury** needs, the plan must sequence EUR, GBP, USD, and any third\-currency moves to avoid an FX\-shortage gap at the new bank. Always move the safeguarded customer balance **first**, operational float second, and reserves last. ## Hour 48–72: Migration & Notification The final 24 hours are **execution**. If Hour 0–48 is done well, this is paperwork. If it is not, this is improvisation. ### Wire the Funds The first transfer should hit the new bank in **Hour 48–54** — typically a smaller **test transfer** to confirm rails, reference fields, and reconciliation. Once confirmed, the bulk move follows in Hour 54–66. Do not leave the bulk move to the final 6 hours; banks routinely impose end\-of\-day cut\-offs that you only discover when a wire fails. ### Update IBAN\-Dependent Customers The customer\-facing IBAN change is the single biggest source of complaints. For UK customers, the [Payment Accounts Regulations 2015](https://www.legislation.gov.uk/uksi/2015/2038/contents/made)⁵[^5] set out a switching framework that — in theory — banks can use to redirect inbound credits. In practice, that mechanism does not extend to **EMIs** or **CASPs**, so you carry the customer\-update burden yourself. Send the customer email at the moment the new IBAN goes live. Include a 14\-day overlap during which both IBANs accept credits if possible — **some banks will not allow this** — and provide a clear support escalation route. Expect a **3–5×** support\-ticket volume spike for 72 hours after send. ### File Regulator Notification By Hour 72, the regulator notification should be filed \(if the decision was "notify on activation" or "notify on migration"\). For EEA firms supervised by national competent authorities and indirectly by the [ECB](https://www.bankingsupervision.europa.eu/banking/srep/html/index.en.html)⁶[^6], the framing should be: \(a\) event, \(b\) customer\-fund impact \(ideally: none\), \(c\) actions taken, \(d\) backup activated, \(e\) timeline. Concise, factual, no editorialising about the bank. ### Document the Audit Trail The audit trail is what the regulator looks at six months later, and what the next bank's onboarding team asks for during diligence. Build a single closure\-event file containing: the original notice, your written acknowledgement, the MLRO assessment, the customer\-fund protection plan, the regulator\-notification decision memo, the customer email, the treasury movement log, and the final reconciliation. **This file is also a banking\-diligence asset** — it demonstrates operational maturity to the next bank in the queue. ## Closure\-Reason Taxonomy and Response Closure notices rarely state the real reason. The table below maps the six categories your MLRO should consider, with the matching response posture. *Table: The six closure\-reason categories regulated crypto firms encounter, with notice window, regulator\-notification obligation, and recovery probability.* | Closure Reason | Typical Notice | Regulator Notification | Recovery Probability | | --- | --- | --- | --- | | Strategic exit \(bank leaves segment\) | 60 days | Notify on activation | Low — bank will not re\-engage | | Risk recalibration \(tier downgrade\) | 60–90 days | Notify if material | Medium — possible re\-onboarding 12–24 months later | | SAR\-related \(transaction alert\) | 30 days or less | Notify within 24 hours | Very low — bank will not reverse | | Sanctions\-trigger \(screening hit\) | Immediate to 30 days | Notify within 24 hours; SAR if required | Zero — and other banks may follow | | Volume\-tier exit \(you outgrew the relationship\) | 60–120 days | Notify on activation | High — upgrade path possible at peer bank | | Force majeure \(bank under stress\) | Variable | Notify on activation | Not applicable — bank\-side event | ## Pre\-Built vs Reactive Response — The Outcomes Compared The difference between a pre\-built protocol and a reactive scramble is measurable on every dimension that matters. *Table: Pre\-built protocol versus reactive response: outcome comparison across four dimensions.* | Dimension | Pre\-Built Protocol | Reactive Response | | --- | --- | --- | | Migration timeline | 48–72 hours to operational | 21–45 days, often longer | | Customer\-fund exposure | Zero gap days | 3–14 gap days; potential safeguarding breach | | Customer impact | Single IBAN\-change email, contained complaints | Service interruption, mass complaints, churn spike | | Regulator perception | Demonstrates operational resilience | Demonstrates fragility; triggers supervisory attention | | Next\-bank diligence | Documented event becomes a positive reference | Becomes an open question in every future application | ## The Pre\-Built Protocol Asset Pack The 72\-hour window only works if the assets exist before the notice arrives. Build these now, not when the email lands. 1. **Backup\-bank MoU or framework agreement** — a signed \(even if dormant\) agreement with at least one alternative banking partner, ideally two. The MoU should set onboarding\-fast\-track terms triggered by a force\-majeure notification. 1. **Customer\-letter template** — pre\-approved by legal, GDPR\-compliant, with placeholders for new IBAN, cutover date, and overlap window. Saves 8–12 hours in the panic window. 1. **MLRO escalation memo template** — a one\-page closure\-reason assessment template the MLRO can populate in under 2 hours. 1. **IBAN\-portability inventory** — a living document listing every system, partner, and customer\-facing surface that references the current IBAN. Updated quarterly. 1. **Treasury\-movement playbook** — the sequence, currency\-by\-currency, of how funds move from old to new, with named approvers and daily limit ceilings. 1. **Board minutes template** — pre\-drafted resolution capturing the board's awareness of the event, approval of the response plan, and delegation of execution. Filed within Hour 48. 1. **Regulator\-notification draft** — a skeleton notification letter with placeholders, pre\-cleared with legal counsel, ready for MLRO sign\-off in under 30 minutes. ## What Happens If You Miss the 72\-Hour Window Missing the window does not mean instant insolvency. It means a sequence of secondary failures that compound across the 60\-day notice period. **Legal exposure**. Failure to maintain continuous safeguarding under **EMD2** exposes the firm to enforcement action, individual liability for the senior management function holders under the **SMCR** regime, and potential criminal liability if customer funds are commingled with operational funds during the gap. **Regulator perception**. A firm that loses banking continuity is, by definition, a firm whose **business continuity plan failed**. That triggers a fresh look at the firm's BCP, governance, and senior management arrangements — and supervisory attention, once invited, is hard to disinvite. **Customer\-fund risk**. Even with no actual loss, a perceived risk of customer\-fund interruption produces a deposit run. Once the run starts, the new bank's onboarding queue gets longer and your liquidity gets shorter at exactly the same moment. **Reputational hit**. The next bank to consider you reads the same press as everyone else. "Lost banking partner, scrambled for 30 days" becomes a permanent fact in every onboarding diligence file. The cost is paid in higher rates, smaller limits, and longer onboarding for years afterwards. ## Frequently Asked Questions ### How long does a bank have to give notice before closing a payment account? Under **PSD2 Art. 79**, the standard notice period for terminating a framework contract for a payment account is **two months** \(60 days\), provided the contract is open\-ended. Shorter notice is permitted where the contract specifically allows it and where the customer has materially breached the agreement. In practice, **SAR\-related** or **sanctions\-triggered** closures can be effective immediately under the bank's risk\-management policies, even where PSD2 would otherwise apply. ### Can a bank close a regulated crypto firm's account without giving a reason? Yes — and they routinely do. Most bank framework agreements reserve the right to terminate **without cause** subject to the contractual notice period. The **EBA Guidelines on de\-risking** discourage blanket category\-based de\-risking but do not prevent individual closures. In practice, regulators are reluctant to compel a bank to maintain a relationship it does not want — focus on continuity, not on appeal. ### Should we notify the FCA the moment we receive a closure notice? Not always — but the decision must be documented within Hour 24. The **FCA** under **SYSC 4** expects notification of matters that materially affect the firm's ability to meet its threshold conditions. A closure with a confirmed backup activating within 72 hours is often best notified **on activation** — with the event, response, and outcome wrapped in a single notification — rather than as an unfolding situation. A closure without a backup is a different decision and almost always notifiable immediately. ### What is the single biggest mistake firms make in the first 24 hours? Treating the closure notice as a **negotiation** rather than a fact. Hours spent drafting persuasive replies, requesting calls with relationship managers, or escalating to the bank's compliance team are hours not spent on parallel activation. By the time the bank confirms the decision is final \(and it almost always is\), the migration window has shrunk. Acknowledge in writing, ask for the operational timetable, then execute the protocol. ### How many backup banking relationships should we have ready before notice arrives? At minimum, **two** beyond the primary — one Tier\-1 EU clearing bank and one specialist crypto\-native EMI is a common pattern. The three\-bank model is the operational floor; firms that survive multiple closure events typically run a four\-bank model with quarterly rotation of live volume across at least two to keep all relationships warm. See the related Three\-Bank Resilience Standard guide for the full architecture. > **Call to action:** Book a free banking continuity audit. We map your exposure and pre\-build the protocol before notice ever arrives. Response within 24 hours. ## Related Guides - [De\-Banking Response Playbook](/resources/de-banking-response-playbook) — the 30\-day recovery framework that picks up where the 72\-hour protocol ends. - [The Three\-Bank Resilience Standard](/resources/three-bank-resilience-standard) — the multi\-bank architecture that makes the 72\-hour protocol executable. - [Bank Diligence File for Regulated Crypto Firms](/resources/bank-diligence-file-crypto-firm) — the standing diligence pack that compresses backup\-bank onboarding from months to weeks. - [Multi\-Currency Treasury Operations for a CASP](/resources/multi-currency-treasury-casp) — the treasury sequencing playbook that informs the Hour 36 movement plan. The 72\-Hour Closure Response Protocol is not a document — it is a **capability**. It exists in the assets you have pre\-built, the relationships you have pre\-warmed, the templates you have pre\-cleared, and the muscle memory of the team that has rehearsed it. The firms that will keep banking access through the next supervisory cycle, the next geopolitical jolt, the next institutional risk\-recalibration are the ones treating closure not as a crisis to be feared but as a **scheduled event for which the protocol is already in the drawer**. Build the protocol now — long before the email lands at 16:42 on a Thursday. ## Footnotes [^1]: Directive \(EU\) 2015/2366 on payment services in the internal market \(PSD2\), Article 79 — Termination of framework contracts. [^2]: Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions \(EMD2\), Article 7 — Safeguarding requirements. [^3]: FCA Handbook SYSC 4 — General organisational requirements, including obligations to notify the FCA of matters that could affect the firm's ability to meet threshold conditions. [^4]: EBA Guidelines EBA/GL/2023/04 on policies and procedures in relation to compliance management and on the role and responsibilities of the AML/CFT Compliance Officer; includes guidance on the de\-risking of categories of customers. [^5]: The Payment Accounts Regulations 2015 \(UK\), SI 2015/2038 — implementing the EU Payment Accounts Directive on account switching and comparable services. [^6]: European Central Bank — Banking Supervision: Supervisory Review and Evaluation Process \(SREP\), describing how Joint Supervisory Teams assess significant institutions. --- Source: https://finconduit.com/resources/bank-closure-72-hour-protocol