SIO-9.1.2
Stablecoin issuers must, as a minimum, have in place systems and controls with respect to the following:
(a) Wallets: Procedures describing the creation, management and controls of wallets, including:
i. Wallet setup/configuration/deployment/deletion/backup and recovery;
ii. Wallet access privilege management;
iii. Wallet user management;
iv. Wallet Rules and limit determination, review and update; and
v. Wallet audit and oversight.
(b) Private keys: Procedures describing the creation, management and controls of private keys, including:
i. Private key generation;
ii. Private key exchange;
iii. Private key storage;
iv. Private key backup;
v. Private key destruction; and
vi. Private key access management.
(c) Origin and destination of approved stablecoins: Systems and controls to mitigate the risk of misuse of approved stablecoins, setting out how:
i. The origin of approved stablecoin is determined, in case of an incoming transaction; and
ii. The destination of approved stablecoin is determined, in case of an outgoing transaction.
(d) Security: A security plan describing the security arrangements relating to:
i. The privacy of sensitive data;
ii. Networks and systems;
iii. Cloud based services;
iv. Physical facilities; and
v. Documents, and document storage.
(e) Risk management: A risk management plan containing a detailed analysis of likely risks with both high and low impact, as well as mitigation strategies. The risk management plan must cover, but is not limited to:
i. Operational risks;
ii. Technology risks, including ‘hacking’ related risks;
iii. Market risk; and
iv. Risk of financial crime
Added: July 2025