Back Custom print Link Text Only Rich Text Print

  • Systems and Controls

    • CRA-6.1.6

      The risk management framework of licensee must provide for the establishment and maintenance of effective systems and controls as are appropriate to their business, so as to identify, measure, monitor and manage risks.

      Added: April 2019

    • CRA-6.1.7

      An effective framework for risk management should include systems to identify, measure, monitor and control all major risks on an on-going basis. The risk management systems should be approved and periodically reviewed by the Board.

      Added: April 2019

    • CRA-6.1.8

      The systems and controls required under Paragraph CRA-6.1.6 must be proportionate to the nature, scale and complexity of the licensee’s activities.

      Amended: April 2023
      Added: April 2019

    • CRA-6.1.9

      The processes and systems required must enable the licensee to identify the major sources of risk to its ability to meet its liabilities as they fall due, including the major sources of risk in each of the following categories:

      (a) Counterparty risk;
      (b) Market risk;
      (c) Liquidity risk;
      (d) Operational risk including cyber security risk;
      (e) Outsourcing risk;
      (f) Group risk; and
      (g) Any additional categories relevant to its business.
      Amended: April 2023
      Added: April 2019

    • CRA-6.1.10

      Licensees must establish and maintain a risk management function that operates independently and which has sufficient authority and resources, including access to the Board of Directors, to facilitate the carrying out of the following tasks:

      (a) The implementation of the risk management framework and maintenance of effective systems and controls referred to in Paragraph CRA-6.1.6;
      (b) The provision of reports and advice to senior management;
      (c) The development of the licensee's risk strategy; and
      (d) Direct communication with the Board of Directors, independently from the licensee's senior management, regarding concerns, where specific risk developments affect or may affect the licensee, without prejudice to the responsibilities of the Board of Board in its supervisory and/or managerial functions.
      Amended: April 2023
      Added: April 2019

    • CRA-6.1.11

      The CBB may permit a licensee to establish and maintain a risk management function which does not operate independently, provided this does not give rise to conflicts of interest and the licensee demonstrates to the CBB that the establishment and maintenance of a dedicated independent risk management function with sole responsibility for the risk management function is not appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the regulated crypto-asset services undertaken in the course of that business.

      Amended: April 2023
      Added: April 2019

    • CRA-6.1.12

      Where a licensee is granted an exemption referred to in Paragraph CRA-6.1.11, the licensee must nevertheless be able to demonstrate that the policies and procedures which it has adopted in accordance with Paragraph CRA-6.1.6 satisfy the requirements thereof and are consistently effective.

      Added: April 2019