CRA-5.1.2

Entire section

Custom print

Link

Text Only

Rich Text

Print

Location:

Versions

Apr 01 2019 - Mar 31 2023
Apr 01 2023

Licensees must, as a minimum, have in place systems and controls with respect to the following:

(a) Crypto-asset Wallets: Procedures describing the creation, management and controls of crypto-asset wallets, including:

(i) Wallet setup/configuration/deployment/deletion/backup and recovery;

(ii) Wallet access privilege management;

(iii) Wallet user management;

(iv) Wallet Rules and limit determination, review and update; and

(v) Wallet audit and oversight.

(b) Private keys: Procedures describing the creation, management and controls of private keys, including:

(i) Private key generation;

(ii) Private key exchange;

(iii) Private key storage;

(iv) Private key backup;

(v) Private key destruction; and

(vi) Private key access management.

(c) Origin and destination of crypto-assets: Systems and controls to mitigate the risk of misuse of crypto-assets, setting out how:

(vii) The origin of crypto-asset is determined, in case of an incoming transaction; and

(viii) The destination of crypto-asset is determined, in case of an outgoing transaction.

(d) Security: A security plan describing the security arrangements relating to:

(i) The privacy of sensitive data;

(ii) Networks and systems;

(iii) Cloud based services;

(iv) Physical facilities; and

(v) Documents, and document storage.

(e) Risk management: A risk management plan containing a detailed analysis of likely risks with both high and low impact, as well as mitigation strategies. The risk management plan must cover, but is not limited to:

(i) Operational risks;

(ii) Technology risks, including 'hacking' related risks;

(iii) Market risk for each crypto-asset; and

(iv) Risk of financial crime.

Amended: April 2023
Added: April 2019