Back Custom print Link Text Only Rich Text Print

  • CRA-8.2 CRA-8.2 Custodial Arrangements

    • CRA-8.2.1

      Licensees must provide to the CBB, for prior written approval, details of custodial arrangement put in place to safeguard, store, hold or maintain custody of crypto-assets.

      Amended: April 2023
      Added: April 2019

    • CRA-8.2.2

      Licensees may implement the following three types of custodial arrangements or any other type of custodial arrangement that is acceptable to the CBB:

      (a) The licensee is wholly responsible for custody of client’s crypto-assets and provides this service “in-house” through its own crypto-assets wallet solution. Such an arrangement includes scenarios where a licensee provides its own in-house proprietary wallet for clients to store any crypto-assets bought through that licensee or transferred into the wallet from other sources.
      (b) The licensee is wholly responsible for the custody of client’s crypto-assets but outsources this service to a third party crypto-asset custodian. Such an arrangement includes the scenario where a licensee uses a third-party service provider to hold all its clients’ accepted crypto-assets (e.g., all or part of the clients’ private keys).
      (c) The licensee wholly allows clients to “self-custodise” their accepted crypto-assets. Such an arrangement includes scenarios where licensees require clients to self-custodise their crypto-assets. Such licensees only provide the platform for clients to buy and sell crypto-assets. Clients are required to source and use their own third party crypto-asset custodians (which the licensee have no control over or responsibility for). This arrangement also includes the scenario where licensees provide an in-house wallet service for clients, but also allow clients to transfer their crypto-assets out of this wallet to another wallet from a third-party wallet provider chosen by the client (and which the licensee does not control).
      Amended: April 2023
      Added: April 2019

    • Third Party Crypto-asset Custody Arrangement

      • CRA-8.2.3

        For the purposes of Paragraph CRA-8.2.2(b), where a licensee provides a third party crypto-asset custodian to a client it must undertake an appropriate risk assessment of that crypto-asset custodian. Licensees must also retain ultimate responsibility for safe custody of crypto-assets held on behalf of clients and ensure that they continue to meet all their regulatory obligations with respect to crypto-asset custody service and outsourced activities.

        Amended: April 2023
        Added: April 2019

      • CRA-8.2.4

        In undertaking an appropriate risk assessment of the third party crypto-asset custodian in accordance with Paragraph CRA-8.2.3, licensees should take into account any or all of the following:

        (a) The expertise and market reputation of the third party crypto-asset custodian, and once a crypto-asset has been lodged by the licensee with the third party crypto-asset custodian, the crypto-asset custodian's performance of its services to the licensee;
        (b) The arrangements, including cyber security measures, for holding and safeguarding crypto-assets;
        (c) An appropriate legal opinion as to the protection of crypto-assets in the event of insolvency of the custodian;
        (d) Whether the third party crypto-asset custodian is regulated and by whom;
        (e) The capital or financial resources of the third party crypto-asset custodian;
        (f) The credit rating of the third party crypto-asset custodian; and
        (g) Any other activities undertaken by the third party crypto-asset custodian and, if relevant, any affiliated company
        Amended: April 2023
        Added: April 2019

      • CRA-8.2.5

        When assessing the suitability of the third party crypto-asset custodian, the licensee must ensure that the third party crypto-asset custodian will provide protections equivalent to the protections specified in this Section and applicable client asset and client money protection rules as specified in Chapter CRA-4.5.

        Amended: April 2023
        Added: April 2019

      • CRA-8.2.6

        A licensee that safeguards, stores, holds or maintains custody of crypto-assets with a third party crypto-asset custodian, must establish and maintain a system for assessing the appropriateness of its selection of the crypto-asset custodian and assess the continued appointment of that crypto-asset custodian periodically as often as is reasonable. The licensee must make and retain a record of the grounds on which it satisfies itself as to the appropriateness of its selection or, following a periodic assessment, continued appropriateness of the crypto-asset custodian.

        Amended: April 2023
        Added: April 2019

      • CRA-8.2.7

        [This Paragraph was deleted in April 2023].

        Deleted: April 2023
        Added: April 2019

    • Self-Custody Arrangement

      • CRA-8.2.8

        For the purposes of Paragraph CRA-8.2.2(c), the CBB considers scenarios where clients are required to self-custodise their crypto-assets as being a material risk given that the burden of protecting and safeguarding crypto-assets falls wholly upon clients, and that the crypto-assets face the constant risk of being stolen by malicious actors. As such, licensees requiring clients to self-custodise crypto-assets are required to disclose this fact fully and clearly upfront to clients and meet the disclosure standards as specified in Paragraph CRA-4.5.8.

        Amended: April 2023
        Added: April 2019

      • CRA-8.2.9

        [This Paragraph was deleted in April 2023].

        Deleted: April 2023
        Added: April 2019