CRA-8 CRA-8 Crypto-asset Custody Services
CRA-8.1 CRA-8.1 General Requirements
CRA-8.1.1
This Section applies to
licensees that undertake safeguarding, storing, holding or maintaining custody ofcrypto-assets as specified in Paragraph CRA-1.1.6(e).Amended: April 2023
Added: April 2019CRA-8.1.2
[This Paragraph was deleted in April 2023].
Deleted: April 2023
Added: April 2019CRA-8.1.3
A
licensee which undertakes safeguarding, storing, holding or maintaining custody ofcrypto-assets must have systems and controls in place to:(a) Ensure the proper safeguarding ofcrypto-assets ;(b) Ensure that such safe custody ofcrypto-assets is identifiable and secure at all times; and(c) Ensure protection against the risk of loss, theft or hacking.Amended: April 2023
Added: April 2019CRA-8.1.4
[This Paragraph was deleted in April 2023].
Deleted: April 2023
Added: April 2019CRA-8.1.5
To the extent a
licensee stores, holds, or maintains custody or control ofcrypto-asset on behalf of a client, suchlicensee must holdcrypto-asset of the same type and amount as that which is owed or obligated to such other client.Amended: April 2023
Added: April 2019CRA-8.1.6
A
licensee is prohibited from selling, transferring, assigning, lending, hypothecating, pledging, or otherwise using or encumberingcrypto-asset stored, held, or maintained by, or under the custody or control of, suchlicensee on behalf of a client except for the sale, transfer, or assignment of suchcrypto-asset at the direction of the client.Amended: April 2023
Added: April 2019CRA-8.1.7
A
licensee that maintains custody or control ofcrypto-asset must avoid conflict of interest between its function as a crypto-asset custodian and any other activities. With an objective to avoid or mitigate actual or potential conflict of interest between its custody function and any other activities, thelicensee must adopt a governance structure that ensures adequate management of conflicts of interest crypto-asset custody activity is fully independent from its other activities. Such governance structure must include, among other things, having separate staffing arrangements to undertake the crypto-asset custody activity, who do not have any conflicting responsibilities within thelicensee’s other activities.Added: April 2023CRA-8.1.8
A
licensee that maintains custody or control ofcrypto-assets on behalf of a client must store, at a minimum, 90% of client’scrypto-assets in cold wallets to minimise exposure to losses arising from a compromise or hacking. The requirement to hold 90% of client’scrypto-assets in cold wallet is to be calculated separately for eachcrypto-asset that is listed on the licensee’s platform and not at aggregate level.Added: April 2023CRA-8.1.9
A
licensee must have a documented policy detailing the mechanism for the transfer ofcrypto-assets between hot, cold and other storage. The scope of authority of each function designated to perform any non-automated processes in such transfers must be clearly specified in the policy document.Added: April 2023Multi-Signature Arrangement
CRA-8.1.10
A
licensee that maintains custody or control ofcrypto-assets must not, at any time, permit arrangements whereby just a party or signatory is able to completely authorise the movement, transfer or withdrawal ofcrypto assets held under custody on behalf of clients. In particular,licensees must not have custody arrangements whereby only a sole person can fully access the private key or keys for thecrypto assets held under custody by thelicensee .Added: April 2023CRA-8.1.11
Licensees that maintain custody or control ofcrypto-assets are required to mitigate the risk of collusion between the authorised persons or signatories who are able to authorise the movement, transfer or withdrawal ofcrypto-assets held under custody.Added: April 2023Other Requirements
CRA-8.1.12
Licensees that maintain custody or control ofcrypto-assets are required to maintain, at all times, an updated list of all past and present authorised persons who were / are able to view, initiate, authorise, sign, approve or complete the transfer or withdrawal ofcrypto assets held under custody on behalf of clients. In addition,licensees must have clearly defined policies and procedures to enable or revoke the authority granted to these persons.Added: April 2023CRA-8.1.13
Licensees that maintain custody or control ofcrypto-assets are required to have policies and procedures in place that clearly describe the process that will be adopted in the event that the licensee comes to know or suspects that thecrypto assets it is holding under custody on behalf for clients have been compromised, such as in the event of a hacking attack, theft or fraud. Such policies and procedures must detail the specific steps thelicensee will take to protect client’scrypto assets in the event of such incidents.Licensees must also have the ability to immediately halt all further transactions with regard to thecrypto assets .Added: April 2023Forks and Air Drops
CRA-8.1.14
Licensees must have written procedures for dealing with events such as forks (hard, soft or temporary forks) or air drops from an operational and technical point of view.Added: April 2023CRA-8.1.15
Where a
licensee supports a new protocol, it must ensure that changes in the underlying protocol of acrypto-asset that result in a fork are managed and tested proactively. This includes temporary forks which should be managed for reverse compatibility for as long as required.Added: April 2023CRA-8.1.16
Where a
licensee supports a new protocol, alicensee must ensure that their clients are able to deposit and withdrawcrypto-assets in and out of the wallet as and when requested before and after a fork (except during go-live). Clients must be notified well in advance of any periods of time when deposits and withdrawals are not feasible.Added: April 2023CRA-8.1.17
Where the underlying protocol of a
crypto-asset is changed, and the older version of thecrypto-asset is no longer compatible with the new version and/or there is an entirely new and separate version of thecrypto-asset (hard fork), alicensee , where it supports a new protocol, must ensure that client balances on the old version are reconciled with the new version of thecrypto-asset . This includes availability of reverse compatibility for as long as required. Alicensee must maintain transparent lines of communication with their clients on how they are managing clientscrypto-asset holdings in such a scenario.Added: April 2023CRA-8.1.18
In the case of a hard fork, a
licensee , where it supports a new protocol, must proactively manage any discrepancy between the balances recorded on the previous version versus the new version by engaging with the entity which is responsible for updating and supporting the underlying protocol of the relevantcrypto-asset . Additionally,licensees must ensure that, where they seek to offer services in relation to thecrypto-asset associated with the new version of the underlying protocol, this newcrypto-asset meets the requirements for acrypto-asset and that they notify the CBB well in advance of offering the newcrypto-asset as part of their activities.Added: April 2023CRA-8.2 CRA-8.2 Custodial Arrangements
CRA-8.2.1
Licensees must provide to the CBB, for prior written approval, details of custodial arrangement put in place to safeguard, store, hold or maintain custody ofcrypto-assets .Amended: April 2023
Added: April 2019CRA-8.2.2
may implement the following three types of custodial arrangements or any other type of custodial arrangement that is acceptable to the CBB:Licensees (a) Thelicensee is wholly responsible for custody of client’scrypto-assets and provides this service “in-house” through its own crypto-assets wallet solution. Such an arrangement includes scenarios where alicensee provides its own in-house proprietary wallet for clients to store anycrypto-assets bought through thatlicensee or transferred into the wallet from other sources.(b) Thelicensee is wholly responsible for the custody of client’scrypto-assets but outsources this service to a third partycrypto-asset custodian. Such an arrangement includes the scenario where alicensee uses a third-party service provider to hold all its clients’accepted crypto-assets (e.g., all or part of the clients’ private keys).(c) Thelicensee wholly allows clients to “self-custodise” theiraccepted crypto-assets . Such an arrangement includes scenarios wherelicensees require clients to self-custodise theircrypto-assets . Suchlicensees only provide the platform for clients to buy and sellcrypto-assets . Clients are required to source and use their own third partycrypto-asset custodians (which thelicensee have no control over or responsibility for). This arrangement also includes the scenario wherelicensees provide an in-house wallet service for clients, but also allow clients to transfer theircrypto-assets out of this wallet to another wallet from a third-party wallet provider chosen by the client (and which thelicensee does not control).Amended: April 2023
Added: April 2019Third Party Crypto-asset Custody Arrangement
CRA-8.2.3
For the purposes of Paragraph CRA-8.2.2(b), where a
licensee provides a third party crypto-asset custodian to a client it must undertake an appropriate risk assessment of that crypto-asset custodian.Licensees must also retain ultimate responsibility for safe custody ofcrypto-assets held on behalf of clients and ensure that they continue to meet all their regulatory obligations with respect to crypto-asset custody service and outsourced activities.Amended: April 2023
Added: April 2019CRA-8.2.4
In undertaking an appropriate risk assessment of the third party
crypto-asset custodian in accordance with Paragraph CRA-8.2.3,licensees should take into account any or all of the following:(a) The expertise and market reputation of the third partycrypto-asset custodian, and once acrypto-asset has been lodged by the licensee with the third partycrypto-asset custodian, thecrypto-asset custodian's performance of its services to thelicensee ;(b) The arrangements, including cyber security measures, for holding and safeguardingcrypto-assets ;(c) An appropriate legal opinion as to the protection ofcrypto-assets in the event of insolvency of the custodian;(d) Whether the third partycrypto-asset custodian is regulated and by whom;(e) The capital or financial resources of the third partycrypto-asset custodian;(f) The credit rating of the third partycrypto-asset custodian; and(g) Any other activities undertaken by the third partycrypto-asset custodian and, if relevant, any affiliated companyAmended: April 2023
Added: April 2019CRA-8.2.5
When assessing the suitability of the third party crypto-asset custodian, the
licensee must ensure that the third partycrypto-asset custodian will provide protections equivalent to the protections specified in this Section and applicableclient asset andclient money protection rules as specified in Chapter CRA-4.5.Amended: April 2023
Added: April 2019CRA-8.2.6
A
licensee that safeguards, stores, holds or maintains custody ofcrypto-assets with a third partycrypto-asset custodian, must establish and maintain a system for assessing the appropriateness of its selection of thecrypto-asset custodian and assess the continued appointment of thatcrypto-asset custodian periodically as often as is reasonable. Thelicensee must make and retain a record of the grounds on which it satisfies itself as to the appropriateness of its selection or, following a periodic assessment, continued appropriateness of thecrypto-asset custodian.Amended: April 2023
Added: April 2019CRA-8.2.7
[This Paragraph was deleted in April 2023].
Deleted: April 2023
Added: April 2019Self-Custody Arrangement
CRA-8.2.8
For the purposes of Paragraph CRA-8.2.2(c), the CBB considers scenarios where clients are required to self-custodise their
crypto-assets as being a material risk given that the burden of protecting and safeguardingcrypto-assets falls wholly upon clients, and that thecrypto-assets face the constant risk of being stolen by malicious actors. As such,licensees requiring clients to self-custodisecrypto-assets are required to disclose this fact fully and clearly upfront to clients and meet the disclosure standards as specified in Paragraph CRA-4.5.8.Amended: April 2023
Added: April 2019CRA-8.2.9
[This Paragraph was deleted in April 2023].
Deleted: April 2023
Added: April 2019CRA-8.3 CRA-8.3 Crypto Wallets
CRA-8.3.1
[This Paragraph was deleted in April 2023].
Deleted: April 2023
Added: April 2019CRA-8.3.2
For the purposes of this Section,
licensees should consider, at the minimum, the following two types of crypto-asset wallets:(a) Custodial Wallet: the custodial wallet provider holdscrypto-assets (e.g., the private keys) as an agent on behalf of clients and has at least some control over these crypto-assets.Licensees that holdcrypto-assets on behalf of their clients should generally offer custodial wallets and may even offer multi-signature wallets (Paragraph CRA-5.4.5). Clients using custodial wallets do not necessarily have full and sole control over theircrypto-assets . In addition, there is a risk that should the custodial wallet provider cease operations or get hacked, clients may lose theircrypto-assets .; and(b) Non-Custodial (Self-Custody) Wallets: the non-custodial wallet provider, typically a third-party hardware add/or software company, offers the means for each client to hold theircrypto-assets (and fully control private keys) themselves. The non-custodial wallet provider does not control client’s crypto-assets – it is the client that has sole and full control over their crypto-assets. Hardware wallets, mobile wallets, desktop wallets and paper wallets are generally examples of non-custodial wallets. Clients using non-custodial wallets have full control of and sole responsibility for theircrypto-assets , and the non-custodial wallet provider does not have the ability to effect unilateral transfers of clients’crypto-assets without clients’ authorisation.Amended: April 2023
Added: April 2019CRA-8.3.3
In addition to the two main crypto-asset wallet types described in Paragraph CRA-8.3.2 above, the CBB recognises that there may be alternative crypto-asset wallet models in existence or which may emerge in future.
Licensees seeking to provide such alternative types of crypto-asset wallets and who are unsure of the regulatory obligations they may attract are encouraged to contact the CBB.Added: April 2019CRA-8.3.4
Only entities providing the custodial wallets as described in Paragraph CRA-8.3.2(a) above are considered to be carrying out the regulated activity of safeguarding, storing, holding, maintaining custody of or arranging custody on behalf of clients for
crypto-assets as specified in Paragraph CRA-1.1.6(e). With respect to the non-custodial wallets as described in Paragraph CRA-8.3.2(b) above, the wallet provider is merely providing the technology; it is the wallet user himself who has full control of and responsibility for thecrypto-assets .Amended: April 2023
Added: April 2019CRA-8.3.5
[This Paragraph was deleted in April 2023].
Deleted: April 2023
Added: April 2019CRA-8.3.6
Licensees must assess the risks posed to each storage method in view of the new developments in security threats, technology and market conditions and must implement appropriate storage solutions to ensure the secure storage ofcrypto-assets held on behalf of clients. Wallet storage technology and any upgrades should be tested comprehensively before deployment to ensure reliability. Alicensee must implement and must ensure that its third-party crypto-asset custodian implements, measures to deal with any compromise or suspected compromise of all or part of any seed or private key without undue delay, including the transfer of all clientcrypto-assets to a new storage location as appropriate.Added: April 2023CRA-8.3.7
Licensees must have, or where thelicensee uses the service of a third party crypto-asset custodian it must ensure that the third party crypto-asset custodian has, adequate processes in place for handling deposit and withdrawal requests forcrypto-asset to guard against loss arising from theft, fraud and other dishonest acts, professional misconduct or omissions. In this regard, alicensee must:(a) Continuously monitor major developments (such as technological changes or the evolution of security threats) relevant to allcrypto-assets included for trading. There must be clear processes in place to evaluate the potential impact and risks of these developments, as well as processes for handling fraud attempts specific to distributed ledger technology (such as 51% attacks), and these processes should be proactively executed;(b) Ensure that client IP addresses as well as wallet addresses used for deposit and withdrawal are whitelisted, using appropriate confirmation methods;(a) Have clear processes in place to minimise the risks relating to handling deposits and withdrawals, including whether deposits and withdrawals are performed using hot or cold storage, whether withdrawals are processed on a real-time basis or only at certain cut-off times, and whether the withdrawal process is automatic or involves manual authorisation;(b) Ensure that any decision to suspend the withdrawal ofcrypto-assets is made on a transparent and fair basis, and is communicated without delay to all its clients; and(c) Ensure that the above processes include safeguards against fraudulent requests or requests made under duress as well as controls to prevent one or more officers or employees from transferring assets to wallet addresses other than the client’s designated wallet address.Added: April 2023CRA-8.3.8
Where the
licensee appoints a third-partycrypto-asset custodian, thelicensee must ensure that such custodian implements the above requirements.Added: April 2023CRA-8.4 CRA-8.4 Reconciliation, Client Reporting and Record Keeping
Reconciliation
CRA-8.4.1
A
licensee must at least every calendar month:(a) [This Subparagraph was deleted in April 2023];(b) Reconcile allcrypto-assets held by thelicensee , or its appointed third party custodian, and reconcile the result to the records of thelicensee ;(c) Reconcile individual client balances with thelicensee’s records ofcrypto-assets balances held in client accounts; and(d) Where thelicensee discovers discrepancies after carrying out the above reconciliations, it must maintain a record of such discrepancies and the measures taken to remedy such discrepancies.Amended: April 2023
Added: April 2019Client Reporting
CRA-8.4.2
[This Paragraph was deleted in April 2023].
Deleted: April 2023
Added: April 2019CRA-8.4.3
[This Paragraph was deleted in April 2023].
Deleted: April 2023
Added: April 2019Record Keeping
CRA-8.4.4
A
licensee must ensure that proper records of theclient's custody account which it holds or receives, or arranges for another to hold or receive, on behalf of theclient , are made and retained for a period of ten years after the account is closed.Added: April 2019CRA-8.4.5
For the purpose of Paragraph CRA-8.4.4, the records must capture at a minimum the following details:
(a) The name of the account;(b) The account number;(c) Type of account;(d) The location of the account;(e) Whether the account is currently open or closed;(f) Details ofcrypto-assets held and movements in each account; and(g) The date of opening and where applicable, closure.Amended: April 2023
Added: April 2019