SIO-9.1 General Requirements
SIO-9.1.1
Stablecoin issuers must have in place clear and comprehensive policies and procedures, from a technology perspective, for the following key areas:
(a) Maintenance and development of systems and architecture (e.g., code version control, implementation of updates, issue resolution, regular internal and third-party testing);(b) Security measures and procedures for the safe storage and transmission of data;(c) Business continuity and client engagement planning in the event of both planned and unplanned system outages;(d) Processes and procedures specifying management of personnel and decision-making by qualified staff; and(e) Procedures for the creation and management of services, interfaces and channels provided by or to third parties (as recipients and providers of data or services).Added: July 2025SIO-9.1.2
Stablecoin issuers must, as a minimum, have in place systems and controls with respect to the following:
(a) Wallets: Procedures describing the creation, management and controls of wallets, including:
i. Wallet setup/configuration/deployment/deletion/backup and recovery;ii. Wallet access privilege management;iii. Wallet user management;iv. Wallet Rules and limit determination, review and update; andv. Wallet audit and oversight.(b) Private keys: Procedures describing the creation, management and controls of private keys, including:
i. Private key generation;ii. Private key exchange;iii. Private key storage;iv. Private key backup;v. Private key destruction; andvi. Private key access management.(c) Origin and destination of approved stablecoins: Systems and controls to mitigate the risk of misuse of approved stablecoins, setting out how:
i. The origin of approved stablecoin is determined, in case of an incoming transaction; andii. The destination of approved stablecoin is determined, in case of an outgoing transaction.(d) Security: A security plan describing the security arrangements relating to:
i. The privacy of sensitive data;ii. Networks and systems;iii. Cloud based services;iv. Physical facilities; andv. Documents, and document storage.(e) Risk management: A risk management plan containing a detailed analysis of likely risks with both high and low impact, as well as mitigation strategies. The risk management plan must cover, but is not limited to:
i. Operational risks;ii. Technology risks, including ‘hacking’ related risks;iii. Market risk; andiv. Risk of financial crimeAdded: July 2025SIO-9.1.3
The CBB may grant waivers from specific requirements of technology governance and cyber security. A stablecoin issuer seeking waiver from specific requirements must provide in writing, to the satisfaction of the CBB, that the nature, scale and complexity of their business does not require such technology governance and cyber security measures and in absence of such measures there will be no risk of violation of applicable laws, including the CBB law, its regulations, resolutions or directives (including these rules) or risks associated with the integrity of the market and/or interest of clients.
Added: July 2025System Resilience
SIO-9.1.4
Stablecoin issuers must have in place effective systems, procedures and arrangements to ensure that their IT systems are resilient to meet the business requirements.
Added: July 2025SIO-9.1.5
Stablecoin issuers must continuously monitor the utilisation of their system resources against a set of pre-defined thresholds. Such monitoring must facilitate the licensee in carrying out capacity management to ensure IT resources are adequate to meet current and future business needs.
Added: July 2025SIO-9.1.6
Stablecoin issuers must conduct regular testing of resilience of its IT systems to meet its business requirements.
Added: July 2025SIO-9.1.7
A stablecoin issuer’s IT system must be designed and implemented in a manner to achieve the level of system availability that is commensurate with its business needs. Fault-tolerant solutions must be implemented for IT systems which require high system availability and technical glitches must be minimized.
Added: July 2025
