Back Custom print Link Text Only Rich Text Print

  • CRA-8 CRA-8 Crypto-asset Custody Services

    • CRA-8.1 CRA-8.1 General Requirements

      • CRA-8.1.1

        This Section applies to licensees that undertake safeguarding, storing, holding or maintaining custody of crypto-assets as specified in Paragraph CRA-1.1.6(e).

        Amended: April 2023
        Added: April 2019

      • CRA-8.1.2

        [This Paragraph was deleted in April 2023].

        Deleted: April 2023
        Added: April 2019

      • CRA-8.1.3

        A licensee which undertakes safeguarding, storing, holding or maintaining custody of crypto-assets must have systems and controls in place to:

        (a) Ensure the proper safeguarding of crypto-assets;
        (b) Ensure that such safe custody of crypto-assets is identifiable and secure at all times; and
        (c) Ensure protection against the risk of loss, theft or hacking.
        Amended: April 2023
        Added: April 2019

      • CRA-8.1.4

        [This Paragraph was deleted in April 2023].

        Deleted: April 2023
        Added: April 2019

      • CRA-8.1.5

        To the extent a licensee stores, holds, or maintains custody or control of crypto-asset on behalf of a client, such licensee must hold crypto-asset of the same type and amount as that which is owed or obligated to such other client.

        Amended: April 2023
        Added: April 2019

      • CRA-8.1.6

        A licensee is prohibited from selling, transferring, assigning, lending, hypothecating, pledging, or otherwise using or encumbering crypto-asset stored, held, or maintained by, or under the custody or control of, such licensee on behalf of a client except for the sale, transfer, or assignment of such crypto-asset at the direction of the client.

        Amended: April 2023
        Added: April 2019

      • CRA-8.1.7

        A licensee that maintains custody or control of crypto-asset must avoid conflict of interest between its function as a crypto-asset custodian and any other activities. With an objective to avoid or mitigate actual or potential conflict of interest between its custody function and any other activities, the licensee must adopt a governance structure that ensures adequate management of conflicts of interest crypto-asset custody activity is fully independent from its other activities. Such governance structure must include, among other things, having separate staffing arrangements to undertake the crypto-asset custody activity, who do not have any conflicting responsibilities within the licensee’s other activities.

        Added: April 2023

      • CRA-8.1.8

        A licensee that maintains custody or control of crypto-assets on behalf of a client must store, at a minimum, 90% of client’s crypto-assets in cold wallets to minimise exposure to losses arising from a compromise or hacking. The requirement to hold 90% of client’s crypto-assets in cold wallet is to be calculated separately for each crypto-asset that is listed on the licensee’s platform and not at aggregate level.

        Added: April 2023

      • CRA-8.1.9

        A licensee must have a documented policy detailing the mechanism for the transfer of crypto-assets between hot, cold and other storage. The scope of authority of each function designated to perform any non-automated processes in such transfers must be clearly specified in the policy document.

        Added: April 2023

      • Multi-Signature Arrangement

        • CRA-8.1.10

          A licensee that maintains custody or control of crypto-assets must not, at any time, permit arrangements whereby just a party or signatory is able to completely authorise the movement, transfer or withdrawal of crypto assets held under custody on behalf of clients. In particular, licensees must not have custody arrangements whereby only a sole person can fully access the private key or keys for the crypto assets held under custody by the licensee.

          Added: April 2023

        • CRA-8.1.11

          Licensees that maintain custody or control of crypto-assets are required to mitigate the risk of collusion between the authorised persons or signatories who are able to authorise the movement, transfer or withdrawal of crypto-assets held under custody.

          Added: April 2023

      • Other Requirements

        • CRA-8.1.12

          Licensees that maintain custody or control of crypto-assets are required to maintain, at all times, an updated list of all past and present authorised persons who were / are able to view, initiate, authorise, sign, approve or complete the transfer or withdrawal of crypto assets held under custody on behalf of clients. In addition, licensees must have clearly defined policies and procedures to enable or revoke the authority granted to these persons.

          Added: April 2023

        • CRA-8.1.13

          Licensees that maintain custody or control of crypto-assets are required to have policies and procedures in place that clearly describe the process that will be adopted in the event that the licensee comes to know or suspects that the crypto assets it is holding under custody on behalf for clients have been compromised, such as in the event of a hacking attack, theft or fraud. Such policies and procedures must detail the specific steps the licensee will take to protect client’s crypto assets in the event of such incidents. Licensees must also have the ability to immediately halt all further transactions with regard to the crypto assets.

          Added: April 2023

      • Forks and Air Drops

        • CRA-8.1.14

          Licensees must have written procedures for dealing with events such as forks (hard, soft or temporary forks) or air drops from an operational and technical point of view.

          Added: April 2023

        • CRA-8.1.15

          Where a licensee supports a new protocol, it must ensure that changes in the underlying protocol of a crypto-asset that result in a fork are managed and tested proactively. This includes temporary forks which should be managed for reverse compatibility for as long as required.

          Added: April 2023

        • CRA-8.1.16

          Where a licensee supports a new protocol, a licensee must ensure that their clients are able to deposit and withdraw crypto-assets in and out of the wallet as and when requested before and after a fork (except during go-live). Clients must be notified well in advance of any periods of time when deposits and withdrawals are not feasible.

          Added: April 2023

        • CRA-8.1.17

          Where the underlying protocol of a crypto-asset is changed, and the older version of the crypto-asset is no longer compatible with the new version and/or there is an entirely new and separate version of the crypto-asset (hard fork), a licensee, where it supports a new protocol, must ensure that client balances on the old version are reconciled with the new version of the crypto-asset. This includes availability of reverse compatibility for as long as required. A licensee must maintain transparent lines of communication with their clients on how they are managing clients crypto-asset holdings in such a scenario.

          Added: April 2023

        • CRA-8.1.18

          In the case of a hard fork, a licensee, where it supports a new protocol, must proactively manage any discrepancy between the balances recorded on the previous version versus the new version by engaging with the entity which is responsible for updating and supporting the underlying protocol of the relevant crypto-asset. Additionally, licensees must ensure that, where they seek to offer services in relation to the crypto-asset associated with the new version of the underlying protocol, this new crypto-asset meets the requirements for a crypto-asset and that they notify the CBB well in advance of offering the new crypto-asset as part of their activities.

          Added: April 2023

    • CRA-8.2 CRA-8.2 Custodial Arrangements

      • CRA-8.2.1

        Licensees must provide to the CBB, for prior written approval, details of custodial arrangement put in place to safeguard, store, hold or maintain custody of crypto-assets.

        Amended: April 2023
        Added: April 2019

      • CRA-8.2.2

        Licensees may implement the following three types of custodial arrangements or any other type of custodial arrangement that is acceptable to the CBB:

        (a) The licensee is wholly responsible for custody of client’s crypto-assets and provides this service “in-house” through its own crypto-assets wallet solution. Such an arrangement includes scenarios where a licensee provides its own in-house proprietary wallet for clients to store any crypto-assets bought through that licensee or transferred into the wallet from other sources.
        (b) The licensee is wholly responsible for the custody of client’s crypto-assets but outsources this service to a third party crypto-asset custodian. Such an arrangement includes the scenario where a licensee uses a third-party service provider to hold all its clients’ accepted crypto-assets (e.g., all or part of the clients’ private keys).
        (c) The licensee wholly allows clients to “self-custodise” their accepted crypto-assets. Such an arrangement includes scenarios where licensees require clients to self-custodise their crypto-assets. Such licensees only provide the platform for clients to buy and sell crypto-assets. Clients are required to source and use their own third party crypto-asset custodians (which the licensee have no control over or responsibility for). This arrangement also includes the scenario where licensees provide an in-house wallet service for clients, but also allow clients to transfer their crypto-assets out of this wallet to another wallet from a third-party wallet provider chosen by the client (and which the licensee does not control).
        Amended: April 2023
        Added: April 2019

      • Third Party Crypto-asset Custody Arrangement

        • CRA-8.2.3

          For the purposes of Paragraph CRA-8.2.2(b), where a licensee provides a third party crypto-asset custodian to a client it must undertake an appropriate risk assessment of that crypto-asset custodian. Licensees must also retain ultimate responsibility for safe custody of crypto-assets held on behalf of clients and ensure that they continue to meet all their regulatory obligations with respect to crypto-asset custody service and outsourced activities.

          Amended: April 2023
          Added: April 2019

        • CRA-8.2.4

          In undertaking an appropriate risk assessment of the third party crypto-asset custodian in accordance with Paragraph CRA-8.2.3, licensees should take into account any or all of the following:

          (a) The expertise and market reputation of the third party crypto-asset custodian, and once a crypto-asset has been lodged by the licensee with the third party crypto-asset custodian, the crypto-asset custodian's performance of its services to the licensee;
          (b) The arrangements, including cyber security measures, for holding and safeguarding crypto-assets;
          (c) An appropriate legal opinion as to the protection of crypto-assets in the event of insolvency of the custodian;
          (d) Whether the third party crypto-asset custodian is regulated and by whom;
          (e) The capital or financial resources of the third party crypto-asset custodian;
          (f) The credit rating of the third party crypto-asset custodian; and
          (g) Any other activities undertaken by the third party crypto-asset custodian and, if relevant, any affiliated company
          Amended: April 2023
          Added: April 2019

        • CRA-8.2.5

          When assessing the suitability of the third party crypto-asset custodian, the licensee must ensure that the third party crypto-asset custodian will provide protections equivalent to the protections specified in this Section and applicable client asset and client money protection rules as specified in Chapter CRA-4.5.

          Amended: April 2023
          Added: April 2019

        • CRA-8.2.6

          A licensee that safeguards, stores, holds or maintains custody of crypto-assets with a third party crypto-asset custodian, must establish and maintain a system for assessing the appropriateness of its selection of the crypto-asset custodian and assess the continued appointment of that crypto-asset custodian periodically as often as is reasonable. The licensee must make and retain a record of the grounds on which it satisfies itself as to the appropriateness of its selection or, following a periodic assessment, continued appropriateness of the crypto-asset custodian.

          Amended: April 2023
          Added: April 2019

        • CRA-8.2.7

          [This Paragraph was deleted in April 2023].

          Deleted: April 2023
          Added: April 2019

      • Self-Custody Arrangement

        • CRA-8.2.8

          For the purposes of Paragraph CRA-8.2.2(c), the CBB considers scenarios where clients are required to self-custodise their crypto-assets as being a material risk given that the burden of protecting and safeguarding crypto-assets falls wholly upon clients, and that the crypto-assets face the constant risk of being stolen by malicious actors. As such, licensees requiring clients to self-custodise crypto-assets are required to disclose this fact fully and clearly upfront to clients and meet the disclosure standards as specified in Paragraph CRA-4.5.8.

          Amended: April 2023
          Added: April 2019

        • CRA-8.2.9

          [This Paragraph was deleted in April 2023].

          Deleted: April 2023
          Added: April 2019

    • CRA-8.3 CRA-8.3 Crypto Wallets

      • CRA-8.3.1

        [This Paragraph was deleted in April 2023].

        Deleted: April 2023
        Added: April 2019

      • CRA-8.3.2

        For the purposes of this Section, licensees should consider, at the minimum, the following two types of crypto-asset wallets:

        (a) Custodial Wallet: the custodial wallet provider holds crypto-assets (e.g., the private keys) as an agent on behalf of clients and has at least some control over these crypto-assets. Licensees that hold crypto-assets on behalf of their clients should generally offer custodial wallets and may even offer multi-signature wallets (Paragraph CRA-5.4.5). Clients using custodial wallets do not necessarily have full and sole control over their crypto-assets. In addition, there is a risk that should the custodial wallet provider cease operations or get hacked, clients may lose their crypto-assets.; and
        (b) Non-Custodial (Self-Custody) Wallets: the non-custodial wallet provider, typically a third-party hardware add/or software company, offers the means for each client to hold their crypto-assets (and fully control private keys) themselves. The non-custodial wallet provider does not control client’s crypto-assets – it is the client that has sole and full control over their crypto-assets. Hardware wallets, mobile wallets, desktop wallets and paper wallets are generally examples of non-custodial wallets. Clients using non-custodial wallets have full control of and sole responsibility for their crypto-assets, and the non-custodial wallet provider does not have the ability to effect unilateral transfers of clients’ crypto-assets without clients’ authorisation.
        Amended: April 2023
        Added: April 2019

      • CRA-8.3.3

        In addition to the two main crypto-asset wallet types described in Paragraph CRA-8.3.2 above, the CBB recognises that there may be alternative crypto-asset wallet models in existence or which may emerge in future. Licensees seeking to provide such alternative types of crypto-asset wallets and who are unsure of the regulatory obligations they may attract are encouraged to contact the CBB.

        Added: April 2019

      • CRA-8.3.4

        Only entities providing the custodial wallets as described in Paragraph CRA-8.3.2(a) above are considered to be carrying out the regulated activity of safeguarding, storing, holding, maintaining custody of or arranging custody on behalf of clients for crypto-assets as specified in Paragraph CRA-1.1.6(e). With respect to the non-custodial wallets as described in Paragraph CRA-8.3.2(b) above, the wallet provider is merely providing the technology; it is the wallet user himself who has full control of and responsibility for the crypto-assets.

        Amended: April 2023
        Added: April 2019

      • CRA-8.3.5

        [This Paragraph was deleted in April 2023].

        Deleted: April 2023
        Added: April 2019

      • CRA-8.3.6

        Licensees must assess the risks posed to each storage method in view of the new developments in security threats, technology and market conditions and must implement appropriate storage solutions to ensure the secure storage of crypto-assets held on behalf of clients. Wallet storage technology and any upgrades should be tested comprehensively before deployment to ensure reliability. A licensee must implement and must ensure that its third-party crypto-asset custodian implements, measures to deal with any compromise or suspected compromise of all or part of any seed or private key without undue delay, including the transfer of all client crypto-assets to a new storage location as appropriate.

        Added: April 2023

      • CRA-8.3.7

        Licensees must have, or where the licensee uses the service of a third party crypto-asset custodian it must ensure that the third party crypto-asset custodian has, adequate processes in place for handling deposit and withdrawal requests for crypto-asset to guard against loss arising from theft, fraud and other dishonest acts, professional misconduct or omissions. In this regard, a licensee must:

        (a) Continuously monitor major developments (such as technological changes or the evolution of security threats) relevant to all crypto-assets included for trading. There must be clear processes in place to evaluate the potential impact and risks of these developments, as well as processes for handling fraud attempts specific to distributed ledger technology (such as 51% attacks), and these processes should be proactively executed;
        (b) Ensure that client IP addresses as well as wallet addresses used for deposit and withdrawal are whitelisted, using appropriate confirmation methods;
        (a) Have clear processes in place to minimise the risks relating to handling deposits and withdrawals, including whether deposits and withdrawals are performed using hot or cold storage, whether withdrawals are processed on a real-time basis or only at certain cut-off times, and whether the withdrawal process is automatic or involves manual authorisation;
        (b) Ensure that any decision to suspend the withdrawal of crypto-assets is made on a transparent and fair basis, and is communicated without delay to all its clients; and
        (c) Ensure that the above processes include safeguards against fraudulent requests or requests made under duress as well as controls to prevent one or more officers or employees from transferring assets to wallet addresses other than the client’s designated wallet address.
        Added: April 2023

      • CRA-8.3.8

        Where the licensee appoints a third-party crypto-asset custodian, the licensee must ensure that such custodian implements the above requirements.

        Added: April 2023

    • CRA-8.4 CRA-8.4 Reconciliation, Client Reporting and Record Keeping

      • Reconciliation

        • CRA-8.4.1

          A licensee must at least every calendar month:

          (a) [This Subparagraph was deleted in April 2023];
          (b) Reconcile all crypto-assets held by the licensee, or its appointed third party custodian, and reconcile the result to the records of the licensee;
          (c) Reconcile individual client balances with the licensee’s records of crypto-assets balances held in client accounts; and
          (d) Where the licensee discovers discrepancies after carrying out the above reconciliations, it must maintain a record of such discrepancies and the measures taken to remedy such discrepancies.
          Amended: April 2023
          Added: April 2019

      • Client Reporting

        • CRA-8.4.2

          [This Paragraph was deleted in April 2023].

          Deleted: April 2023
          Added: April 2019

        • CRA-8.4.3

          [This Paragraph was deleted in April 2023].

          Deleted: April 2023
          Added: April 2019

      • Record Keeping

        • CRA-8.4.4

          A licensee must ensure that proper records of the client's custody account which it holds or receives, or arranges for another to hold or receive, on behalf of the client, are made and retained for a period of ten years after the account is closed.

          Added: April 2019

        • CRA-8.4.5

          For the purpose of Paragraph CRA-8.4.4, the records must capture at a minimum the following details:

          (a) The name of the account;
          (b) The account number;
          (c) Type of account;
          (d) The location of the account;
          (e) Whether the account is currently open or closed;
          (f) Details of crypto-assets held and movements in each account; and
          (g) The date of opening and where applicable, closure.
          Amended: April 2023
          Added: April 2019