Back Custom print Link Text Only Rich Text Print

  • CRA-8.1 CRA-8.1 General Requirements

    • CRA-8.1.1

      This Section applies to licensees that undertake safeguarding, storing, holding or maintaining custody of crypto-assets as specified in Paragraph CRA-1.1.6(e).

      Amended: April 2023
      Added: April 2019

    • CRA-8.1.2

      [This Paragraph was deleted in April 2023].

      Deleted: April 2023
      Added: April 2019

    • CRA-8.1.3

      A licensee which undertakes safeguarding, storing, holding or maintaining custody of crypto-assets must have systems and controls in place to:

      (a) Ensure the proper safeguarding of crypto-assets;
      (b) Ensure that such safe custody of crypto-assets is identifiable and secure at all times; and
      (c) Ensure protection against the risk of loss, theft or hacking.
      Amended: April 2023
      Added: April 2019

    • CRA-8.1.4

      [This Paragraph was deleted in April 2023].

      Deleted: April 2023
      Added: April 2019

    • CRA-8.1.5

      To the extent a licensee stores, holds, or maintains custody or control of crypto-asset on behalf of a client, such licensee must hold crypto-asset of the same type and amount as that which is owed or obligated to such other client.

      Amended: April 2023
      Added: April 2019

    • CRA-8.1.6

      A licensee is prohibited from selling, transferring, assigning, lending, hypothecating, pledging, or otherwise using or encumbering crypto-asset stored, held, or maintained by, or under the custody or control of, such licensee on behalf of a client except for the sale, transfer, or assignment of such crypto-asset at the direction of the client.

      Amended: April 2023
      Added: April 2019

    • CRA-8.1.7

      A licensee that maintains custody or control of crypto-asset must avoid conflict of interest between its function as a crypto-asset custodian and any other activities. With an objective to avoid or mitigate actual or potential conflict of interest between its custody function and any other activities, the licensee must adopt a governance structure that ensures adequate management of conflicts of interest crypto-asset custody activity is fully independent from its other activities. Such governance structure must include, among other things, having separate staffing arrangements to undertake the crypto-asset custody activity, who do not have any conflicting responsibilities within the licensee’s other activities.

      Added: April 2023

    • CRA-8.1.8

      A licensee that maintains custody or control of crypto-assets on behalf of a client must store, at a minimum, 90% of client’s crypto-assets in cold wallets to minimise exposure to losses arising from a compromise or hacking. The requirement to hold 90% of client’s crypto-assets in cold wallet is to be calculated separately for each crypto-asset that is listed on the licensee’s platform and not at aggregate level.

      Added: April 2023

    • CRA-8.1.9

      A licensee must have a documented policy detailing the mechanism for the transfer of crypto-assets between hot, cold and other storage. The scope of authority of each function designated to perform any non-automated processes in such transfers must be clearly specified in the policy document.

      Added: April 2023

    • Multi-Signature Arrangement

      • CRA-8.1.10

        A licensee that maintains custody or control of crypto-assets must not, at any time, permit arrangements whereby just a party or signatory is able to completely authorise the movement, transfer or withdrawal of crypto assets held under custody on behalf of clients. In particular, licensees must not have custody arrangements whereby only a sole person can fully access the private key or keys for the crypto assets held under custody by the licensee.

        Added: April 2023

      • CRA-8.1.11

        Licensees that maintain custody or control of crypto-assets are required to mitigate the risk of collusion between the authorised persons or signatories who are able to authorise the movement, transfer or withdrawal of crypto-assets held under custody.

        Added: April 2023

    • Other Requirements

      • CRA-8.1.12

        Licensees that maintain custody or control of crypto-assets are required to maintain, at all times, an updated list of all past and present authorised persons who were / are able to view, initiate, authorise, sign, approve or complete the transfer or withdrawal of crypto assets held under custody on behalf of clients. In addition, licensees must have clearly defined policies and procedures to enable or revoke the authority granted to these persons.

        Added: April 2023

      • CRA-8.1.13

        Licensees that maintain custody or control of crypto-assets are required to have policies and procedures in place that clearly describe the process that will be adopted in the event that the licensee comes to know or suspects that the crypto assets it is holding under custody on behalf for clients have been compromised, such as in the event of a hacking attack, theft or fraud. Such policies and procedures must detail the specific steps the licensee will take to protect client’s crypto assets in the event of such incidents. Licensees must also have the ability to immediately halt all further transactions with regard to the crypto assets.

        Added: April 2023

    • Forks and Air Drops

      • CRA-8.1.14

        Licensees must have written procedures for dealing with events such as forks (hard, soft or temporary forks) or air drops from an operational and technical point of view.

        Added: April 2023

      • CRA-8.1.15

        Where a licensee supports a new protocol, it must ensure that changes in the underlying protocol of a crypto-asset that result in a fork are managed and tested proactively. This includes temporary forks which should be managed for reverse compatibility for as long as required.

        Added: April 2023

      • CRA-8.1.16

        Where a licensee supports a new protocol, a licensee must ensure that their clients are able to deposit and withdraw crypto-assets in and out of the wallet as and when requested before and after a fork (except during go-live). Clients must be notified well in advance of any periods of time when deposits and withdrawals are not feasible.

        Added: April 2023

      • CRA-8.1.17

        Where the underlying protocol of a crypto-asset is changed, and the older version of the crypto-asset is no longer compatible with the new version and/or there is an entirely new and separate version of the crypto-asset (hard fork), a licensee, where it supports a new protocol, must ensure that client balances on the old version are reconciled with the new version of the crypto-asset. This includes availability of reverse compatibility for as long as required. A licensee must maintain transparent lines of communication with their clients on how they are managing clients crypto-asset holdings in such a scenario.

        Added: April 2023

      • CRA-8.1.18

        In the case of a hard fork, a licensee, where it supports a new protocol, must proactively manage any discrepancy between the balances recorded on the previous version versus the new version by engaging with the entity which is responsible for updating and supporting the underlying protocol of the relevant crypto-asset. Additionally, licensees must ensure that, where they seek to offer services in relation to the crypto-asset associated with the new version of the underlying protocol, this new crypto-asset meets the requirements for a crypto-asset and that they notify the CBB well in advance of offering the new crypto-asset as part of their activities.

        Added: April 2023