DLT Provider Guidance Notes. Protection of Clients Assets and Money

Similar documents
DLT Provider Guidance Notes. Financial Crime

Assurance in a blockchain world How you can prepare to address the risks

RISK MANAGEMENT POLICY

Technical Line. A holder s accounting for cryptocurrencies. What you need to know. Overview

Information page Alternative Investment Fund Managers Directive Operating conditions Conflicts of interest

Guidance Note Capital Requirements Directive Markets in Financial Instruments Directive Audit Requirements, & Other Obligations & Disclosures

Treasurer Internal Controls. Presented by: Patrick Mohan, CPA Audit Manager Melanson Heath

If no board of directors exists, identify the equivalent body with oversight responsibility.

The Gibraltar Financial Services Commission. Consultation Paper Regulation of personal pension schemes

Annual Report on Audit Supervision

Law. on Payment Services and Payment Systems * Chapter One GENERAL PROVISIONS. Section I Subject and Negative Scope. Subject

Annexure B. To the [directors of name of benefit administrator] 1 and to the Registrar of Pension Funds

Setting Up a Gibraltar Cryptocurrency Exchange

DLT Application Process and Fee Structure

A Review of Actual Fraud Cases in 2017 FRAUD REVIEW

Accounting Building Business Skills. Learning Objectives. Learning Objectives. Paul D. Kimmel. Chapter Seven: Internal Control, Cash and Receivables

CENTRAL VIRGINIA COMMUNITY SERVICES BOARD COMMENTS ON INTERNAL CONTROL AND OTHER SUGGESTIONS FOR YOUR CONSIDERATION. June 30, 2011

Solvency II Frequently Asked Questions

University Fraud Policy

Product Overview. Version October 2, 2017 thetoken.io Page 1 of 9

Blockchain made Simple

Principles applicable to auditors reports to regulators

DISCUSSION PAPER ON INITIAL COIN OFFERINGS, VIRTUAL CURRENCIES AND RELATED SERVICE PROVIDERS MFSA REF:

MFSA REF: Page 1 of 23 ISSUED: 22 JANUARY 2018

Annex to II.6 MANDATORY PROVIDENT FUND SCHEMES ORDINANCE (CAP. 485) INTERNAL CONTROLS OF REGISTERED SCHEMES

Financial Regulations

IOSCO Principles of Liquidity Risk Management for CIS

FINANCIAL STATEMENTS AND INDEPENDENT AUDITOR'S REPORT

STATE OF MINNESOTA OFFICE OF THE STATE AUDITOR

Consultation Paper No. 7 of 2015 Appendix 4. Abu Dhabi Global Market Rulebook Market Infrastructure Rulebook (MIR)

Central Bank of Bahrain Rulebook. Volume 4: Investment Business CLIENT ASSETS MODULE

Statement of Insolvency Practice 6 England and Wales

Crypto-assets and crypto-businesses a regulatory and legal issues

Federal Reserve Bank of Chicago

Tangible Capital Assets Policy

Underwriting and Pricing

LAW. on Payment Services and Payment Systems. Chapter One GENERAL PROVISIONS. Section I Subject and Negative Scope Subject.

Ibrahim Sameer (MBA - Specialized in Finance, B.Com Specialized in Accounting & Marketing)

City of Albertville Wright County, Minnesota Reports on Compliance with Government Auditing Standards and Minnesota Legal Compliance

Floyd County, Georgia Report Of Independent Certified Public Accountants In Accordance With Government Auditing Standards

Aworker.io Terms of Token Sale

STUDENT STORES ASB PROCEDURES MANUAL REVISED 10/18 INTRODUCTION

TOWN OF WEST BROOKFIELD, MASSACHUSETTS MANAGEMENT LETTER FOR THE YEAR ENDED JUNE 30, 2016

Information page Alternative Investment Fund Managers Directive Operating conditions - General

Feedback on Annual Reporting

Block This Way: Securing Identities using Blockchain

BERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010

Information page Alternative Investment Fund Managers Directive Organisational requirements - Valuation

TERMS AND CONDITIONS DEFINITIONS Agreement means these Terms and Conditions, [together with the Fee Schedule in accordance with 1.1].

Rickmansworth School Finance Policy

Blockchain: An introduction and use-cases June 12 th, 2018

Overview of Hong Kong s New Crypto Exchange Framework. November 2018

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

EXHIBIT A IDENTITY THEFT PREVENTION PROGRAM

Conduct of Business Rulebook (COBS)

Last updated 14 June, Internal Financial Controls Guidelines for Charities

HIPAA Compliance Guide

Hong Kong s SFC Issues Significant Announcements on the Regulation of Virtual Assets

Information page Alternative Investment Fund Managers Directive Transparency requirements Reporting obligations to FSC

Auditing in the Crypto-Asset Sector

WHITEPAPER. Prepared by TOA

blockchain bitcoin cryptography currency Blockchain: The Next Big Digital Disruptor for CFOs cryptocurrency exchange transaction financial market

Private Wealth Management. Understanding Blockchain as a Potential Disruptor

AUDIT PROCEDURE SCHOOL GENERATED FUNDS AND REVIEW AND INTERNAL CONTROLS

City of Wasco Internal Control Policy

Information page Alternative Investment Fund Managers Directive Operating conditions Investment in securitisation positions

II. THE FUNCTIONS OF SECURITIES CUSTODIANS.

Crime Coverage Section Application (Large Public Company > $1B revenues)

Investment Funds Transfer Audit. October 03, 2008

NATIONAL PAYMENT AND SETTLEMENT SYSTEMS DIVISION

TOWN OF CAPE ELIZABETH, MAINE. Reports Required by Government Auditing Standards. For the Year Ended June 30, 2017

Combined Liability Insurance for Financial Technology Companies Proposal Form

TERMS AND CONDITIONS Contribution to PRIVATE PLACEMENT and MICROSHARE token allocation.

ADDITIONAL INFORMATION REQUIRED BY GOVERNMENT AUDITING STANDARDS

arxiv: v1 [q-fin.gn] 6 Dec 2016

This article was first published in IOTA e-book "Disruptive Business Models Challenges and Opportunities"

Guide to Delivering emortgage Loans to Fannie Mae November 1, 2016

ORGANIZATIONAL MANUAL

Blockchain in Healthcare

Identity Theft Prevention Program

City Council City of Maywood Maywood, California

London Borough of Southwark

PS 14/9: Review of the client assets for investment business BEST PRACTICE STATEMENTS CASS

RISK FACTORS: SIMPLE AGREEMENT FOR FUTURE TOKENS ( SAFT )

CENTRAL BANK OF MALTA DIRECTIVE NO 1. in terms of the. CENTRAL BANK OF MALTA ACT (Cap. 204 of the Laws of Malta)

CENTRALE BANK VAN ARUBA

Insurance Distribution Directive

Bitcoin, Blockchain Technology, Block Chain Ecosystem : What You Need to Know?

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

Tezos Contribution and XTZ Allocation Terms and Explanatory Notes. 1. Principles

FINANCIAL STATEMENTS OF ACCOUNT 2015

FINANCIAL STATEMENTS

Engagements on Attorneys Trust Accounts

EVERYTHING YOU NEED TO KNOW ABOUT DIGITAL LEDGER TECHNOLOGY, THE BLOCKCHAIN AND CRYPTOCURRENCIESÓ (Part I June 2018)

Insurance Distribution Directive. Product Governance and Distribution channels Examples of good and poor practice

Financial Regulations in. Solon Wandsworth Housing Association. Approved by Management Committee on 10/07/ July 2002

(1) full name, date of birth, gender and contact details including telephone, address, and fax;

Financial Advisers (Custodians of FMCA Financial Products) Regulations 2014 (LI 2014/48)

Village of New Bavaria. Financial Condition As of December 31, 2016 and Together with Auditor's Report

DEx.top Technical White Paper (V1.0)

Transcription:

DLT Provider Guidance Notes Protection of Clients Assets and Money

Introduction The purpose of this guidance note is to provide a DLT Provider, as defined in the Financial Services (Distributed Ledger Technology Providers) Regulations 2017 (the DLT Regulations), with guidance as to the operational, technical and organisational standards expected and in some circumstances required by the GFSC. This guidance note is specifically in respect of the regulatory principle under paragraph 5 of Schedule 2 of the DLT Regulations (the Regulatory Principle). The Regulatory Principle states that A DLT Provider must have effective arrangements in place for the protection of client assets and money when it is responsible for them. This document should be read as interpretative guidance for a DLT Provider and the examples contained in this document should be noted as indicative of good practice by a DLT Provider in connection with the Regulatory Principle. A DLT Provider should note that the GFSC will take this document into account when reviewing a DLT Provider s practices. The operational standards expected and required by the GFSC of a DLT Provider will vary depending on the size, particular nature, scale or complexity of the DLT Provider s business. Customer Asset Management These guidelines are provided primarily in respect of digital assets representing value (as defined in the DLT Regulations). A DLT Provider will be expected to take all reasonable precautions to protect customer assets and money in their custody or control against any eventualities and threats. Custodial assets and monies must be segregated from the DLT Provider s own assets and monies. However, to the extent that a DLT Provider holds fiat currencies for customers (e.g. pending or following conversion to or from cryptocurrency), then any such funds must be protected, sufficiently liquid, and clearly segregated as customer monies with a regulated credit, e-money or payment institution, acceptable to the GFSC. Alternatively, a DLT Provider must demonstrate to the GFSC it can achieve these outcomes via other means. A DLT Provider must put in place appropriate policies, processes and procedures to protect customer assets. A DLT Provider is expected to consider, as a minimum, the following key areas in any such processes and procedures: 2

Management Responsibility A DLT Provider is expected to nominate one of its directors or senior management as being primarily responsible for customer assets and notify the GFSC of such appointment. Systems of Controls A DLT Provider must have appropriate systems of control to manage customer assets that are proportionate to the size of the business, the assets in custody and the risks involved in that business. Systems of control related to IT and software should be up to date and meet latest industry protocols and standards. Systems of control must be implemented to detect and prevent fraud and cybercrime, examples of which may include: Multi Factor Authentication; pattern analysis on internet traffic to servers; IP checking; looking for brute-force attacks on account passwords; and multi-level security checks of customers that request access to their accounts. A DLT Provider should consider the appropriateness, cost and benefit of obtaining insurance to cover customer assets in addition to any other safeguards that are in place. Systems of control are expected to be regularly stress-tested. A DLT Provider must consider the inherent risks related to customer assets, mitigating controls and residual risk and this must be adequately recorded on the firm s risk register. Safeguarding and Segregation Customer assets must be held separately from a DLT Provider s own assets. Customer assets must be clearly designated and easily identifiable. Customer assets do not represent property of a DLT Provider and must therefore be protected from third party creditors of a DLT Provider. Private Keys relating to value stored on behalf of customers should be stored and secured in a manner that minimises the risk of loss or theft. A DLT Provider that manages Private Keys relating to cryptographic assets belonging to customers should not pool values belonging to different customers using the same Keys. A DLT Provider must adequately identify the customer to which the Keys relate. A DLT Provider that uses third parties to store or safeguard customer assets will need to take all reasonable steps to ensure that the systems and controls used by the third party provider(s) comply with these guidance notes and any other obligation imposed on the DLT Provider. 3

Frequent Reconciliation A DLT Provider must take all reasonable steps to ensure that any value is applied to the correct wallets in good time. A DLT Provider must reconcile customer assets and its own assets as a minimum once a day. Record Keeping All customer asset records are expected to be stored securely during the relationship with a customer and for a minimum of 5 years following termination of the customer relationship (subject to any contrary legal requirements). Records are expected to be comprehensive and up to date. A DLT Provider is expected to operate continuous (near 24/7) real-time electronic record systems that are subject to a regular (i.e. as a minimum, every working day) exceptions-based review by suitable staff. Records are expected to include any customer instructions in respect of how to manage customer assets. Records are expected to be kept in a manner and format that provides a clear audit trail to enable an auditor to sign off on a DLT Provider s accounts and their systems and controls. Naming and Schema A DLT Provider must ensure that naming conventions and schema for data used to identify and protect customer assets allow the DLT Provider, the GFSC or any person appointed to step-in to manage the DLT Provider to easily take control of the management of customer assets. Cold Storage A DLT Provider in custody of cryptographic assets based on decentralised public networks should only store private keys in online hot wallets that are sufficient to meet immediate needs. Remaining private keys should be held in offline wallets (i.e. in cold storage). 4

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi 2017 Gibraltar Financial Services Commission

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback