Back Custom print Link Text Only Rich Text Print

  • CRA-5.1 CRA-5.1 General Requirements

    • CRA-5.1.1

      Licensees must have in place clear and comprehensive policies and procedures, from a technology perspective, for the following key areas:

      (a) Maintenance and development of systems and architecture (e.g., code version control, implementation of updates, issue resolution, regular internal and third party testing);
      (b) Security measures and procedures for the safe storage and transmission of data;
      (c) Business continuity and client engagement planning in the event of both planned and unplanned system outages;
      (d) Processes and procedures specifying management of personnel and decision-making by qualified staff; and
      (e) Procedures for the creation and management of services, interfaces and channels provided by or to third parties (as recipients and providers of data or services).
      Added: April 2019

    • CRA-5.1.2

      Licensees must, as a minimum, have in place systems and controls with respect to the following:

      (a) Crypto-asset Wallets: Procedures describing the creation, management and controls of crypto-asset wallets, including:
      (i) Wallet setup/configuration/deployment/deletion/backup and recovery;
      (ii) Wallet access privilege management;
      (iii) Wallet user management;
      (iv) Wallet Rules and limit determination, review and update; and
      (v) Wallet audit and oversight.
      (b) Private keys: Procedures describing the creation, management and controls of private keys, including:
      (i) Private key generation;
      (ii) Private key exchange;
      (iii) Private key storage;
      (iv) Private key backup;
      (v) Private key destruction; and
      (vi) Private key access management.
      (c) Origin and destination of crypto-assets: Systems and controls to mitigate the risk of misuse of crypto-assets, setting out how:
      (vii) The origin of crypto-asset is determined, in case of an incoming transaction; and
      (viii) The destination of crypto-asset is determined, in case of an outgoing transaction.
      (d) Security: A security plan describing the security arrangements relating to:
      (i) The privacy of sensitive data;
      (ii) Networks and systems;
      (iii) Cloud based services;
      (iv) Physical facilities; and
      (v) Documents, and document storage.
      (e) Risk management: A risk management plan containing a detailed analysis of likely risks with both high and low impact, as well as mitigation strategies. The risk management plan must cover, but is not limited to:
      (i) Operational risks;
      (ii) Technology risks, including 'hacking' related risks;
      (iii) Market risk for each crypto-asset; and
      (iv) Risk of financial crime.
      Amended: April 2023
      Added: April 2019

    • CRA-5.1.3

      The CBB may grant exemptions from specific requirements of technology governance and cyber security. A licensee seeking exemption from specific requirements must provide in writing, to the satisfaction of the CBB, that the nature, scale and complexity of their business does not require such technology governance and cyber security measures and in absence of such measures there will be no risk of violation of applicable laws, including the CBB Law, its regulations, resolutions or directives (including these rules) or risks associated with the integrity of the market and/or interest of clients.

      Amended: April 2023
      Added: April 2019

    • System Resilience

      • CRA-5.1.4

        Licensees must have in place effective systems, procedures and arrangements to ensure that their IT systems including the trading and settlement systems, are resilient, have sufficient capacity to deal with peak order and message volumes, are able to ensure orderly trading under conditions of severe market stress, are fully tested to ensure such conditions are met and are subject to effective business continuity arrangements to ensure continuity of their services if there is any failure of their trading systems.

        Added: April 2023

      • CRA-5.1.5

        Licensees must continuously monitor the utilisation of their system resources against a set of pre-defined thresholds. Such monitoring must facilitate the licensee in carrying out capacity management to ensure IT resources are adequate to meet current and future business needs.

        Added: April 2023

      • CRA-5.1.6

        Licensees must conduct regular testing of resilience of its IT systems to meet its business requirements.

        Added: April 2023

      • CRA-5.1.7

        A licensee’s IT systems must be designed and implemented in a manner to achieve the level of system availability that is commensurate with its business needs. Fault-tolerant solutions must be implemented for IT systems which require high system availability and technical glitches must be minimized.

        Added: April 2023