Back Custom print Link Text Only Rich Text Print

  • CRA-8.3 CRA-8.3 Crypto Wallets

    • CRA-8.3.1

      [This Paragraph was deleted in April 2023].

      Deleted: April 2023
      Added: April 2019

    • CRA-8.3.2

      For the purposes of this Section, licensees should consider, at the minimum, the following two types of crypto-asset wallets:

      (a) Custodial Wallet: the custodial wallet provider holds crypto-assets (e.g., the private keys) as an agent on behalf of clients and has at least some control over these crypto-assets. Licensees that hold crypto-assets on behalf of their clients should generally offer custodial wallets and may even offer multi-signature wallets (Paragraph CRA-5.4.5). Clients using custodial wallets do not necessarily have full and sole control over their crypto-assets. In addition, there is a risk that should the custodial wallet provider cease operations or get hacked, clients may lose their crypto-assets.; and
      (b) Non-Custodial (Self-Custody) Wallets: the non-custodial wallet provider, typically a third-party hardware add/or software company, offers the means for each client to hold their crypto-assets (and fully control private keys) themselves. The non-custodial wallet provider does not control client’s crypto-assets – it is the client that has sole and full control over their crypto-assets. Hardware wallets, mobile wallets, desktop wallets and paper wallets are generally examples of non-custodial wallets. Clients using non-custodial wallets have full control of and sole responsibility for their crypto-assets, and the non-custodial wallet provider does not have the ability to effect unilateral transfers of clients’ crypto-assets without clients’ authorisation.
      Amended: April 2023
      Added: April 2019

    • CRA-8.3.3

      In addition to the two main crypto-asset wallet types described in Paragraph CRA-8.3.2 above, the CBB recognises that there may be alternative crypto-asset wallet models in existence or which may emerge in future. Licensees seeking to provide such alternative types of crypto-asset wallets and who are unsure of the regulatory obligations they may attract are encouraged to contact the CBB.

      Added: April 2019

    • CRA-8.3.4

      Only entities providing the custodial wallets as described in Paragraph CRA-8.3.2(a) above are considered to be carrying out the regulated activity of safeguarding, storing, holding, maintaining custody of or arranging custody on behalf of clients for crypto-assets as specified in Paragraph CRA-1.1.6(e). With respect to the non-custodial wallets as described in Paragraph CRA-8.3.2(b) above, the wallet provider is merely providing the technology; it is the wallet user himself who has full control of and responsibility for the crypto-assets.

      Amended: April 2023
      Added: April 2019

    • CRA-8.3.5

      [This Paragraph was deleted in April 2023].

      Deleted: April 2023
      Added: April 2019

    • CRA-8.3.6

      Licensees must assess the risks posed to each storage method in view of the new developments in security threats, technology and market conditions and must implement appropriate storage solutions to ensure the secure storage of crypto-assets held on behalf of clients. Wallet storage technology and any upgrades should be tested comprehensively before deployment to ensure reliability. A licensee must implement and must ensure that its third-party crypto-asset custodian implements, measures to deal with any compromise or suspected compromise of all or part of any seed or private key without undue delay, including the transfer of all client crypto-assets to a new storage location as appropriate.

      Added: April 2023

    • CRA-8.3.7

      Licensees must have, or where the licensee uses the service of a third party crypto-asset custodian it must ensure that the third party crypto-asset custodian has, adequate processes in place for handling deposit and withdrawal requests for crypto-asset to guard against loss arising from theft, fraud and other dishonest acts, professional misconduct or omissions. In this regard, a licensee must:

      (a) Continuously monitor major developments (such as technological changes or the evolution of security threats) relevant to all crypto-assets included for trading. There must be clear processes in place to evaluate the potential impact and risks of these developments, as well as processes for handling fraud attempts specific to distributed ledger technology (such as 51% attacks), and these processes should be proactively executed;
      (b) Ensure that client IP addresses as well as wallet addresses used for deposit and withdrawal are whitelisted, using appropriate confirmation methods;
      (a) Have clear processes in place to minimise the risks relating to handling deposits and withdrawals, including whether deposits and withdrawals are performed using hot or cold storage, whether withdrawals are processed on a real-time basis or only at certain cut-off times, and whether the withdrawal process is automatic or involves manual authorisation;
      (b) Ensure that any decision to suspend the withdrawal of crypto-assets is made on a transparent and fair basis, and is communicated without delay to all its clients; and
      (c) Ensure that the above processes include safeguards against fraudulent requests or requests made under duress as well as controls to prevent one or more officers or employees from transferring assets to wallet addresses other than the client’s designated wallet address.
      Added: April 2023

    • CRA-8.3.8

      Where the licensee appoints a third-party crypto-asset custodian, the licensee must ensure that such custodian implements the above requirements.

      Added: April 2023