SIO-9.4 Cryptographic Keys and Wallet Storage
SIO-9.4.1
Stablecoin issuers must implement robust procedures and protective measures to ensure the secure generation, storage, backup and destruction of both public and private keys.
Added: July 2025SIO-9.4.2
Stablecoin issuers must use multi-signature wallets e.g. where multiple private keys are associated with a given public key and a subset of these private keys, held by different parties, are required to authorise transactions.
Added: July 2025Private Key Management
SIO-9.4.3
A stablecoin issuer must establish and implement strong internal controls and governance procedures for private key management to ensure all cryptographic seeds and private keys are securely generated, stored and backed up. A stablecoin issuer using a third-party custodian for to hold approved stablecoin must ensure that the third-party custodian establishes and implements such controls and procedures. The procedure must include the following:
(a) The generated seed and private key must be sufficiently resistant to speculation or collusion. The seed and private key should be generated in accordance with applicable international security standards and industry best practices, so as to ensure that the seeds (where Hierarchical Deterministic Wallets, or similar processes, are used) or private keys (if seed is not used) are generated in a nondeterministic manner that ensures randomness so that they are not reproducible. Where practicable, seed and private key should be generated offline and kept in a secure environment, such as a Hardware Security Module (HSM), with appropriate certification for the lifetime of the seeds or private keys;(b) Detailed specifications for how access to cryptographic devices or applications is to be authorised, covering key generation, distribution, use and storage, as well as the immediate revocation of a signatory’s access as required;(c) Access to seed and private key relating to approved stablecoins is tightly restricted among senior management personnel residing in Bahrain, no single person has possession of information on the entirety of the seed, private key or backup passphrases, and controls are implemented to mitigate the risk of collusion among authorised personnel; and(d) Distributed backups of seed or private key is kept so as to mitigate any single point of failure. The backups need to be distributed in a manner such that an event affecting the primary location of the seed or private key does not affect the backups. The backups should be stored in a protected form on external media (preferably HSM with appropriate certification).(e) Distributed backups should be stored in a manner that ensures seed and private key cannot be regenerated based solely on the backups stored in the same physical location. Access control to the backups must be as stringent as access control to the original seed and private key.Added: July 2025
