2-1.1. Technology and governance requirements
2-1.1.1. Without limiting the generality of the technology resources requirements in AMI 2.4, an Authorised Market Institution must:
(a) establish and maintain policies and procedures to ensure that any DLT application used in connection with the facility operates on the basis of ‘permissioned’ access, such that it allows the operator to have and maintain adequate control over the Persons who are permitted to access and update records held on that DLT application;
(b) establish and maintain adequate measures to ensure that the DLT application it uses, and the associated rules and protocols, contain:
(i) clear criteria governing Persons who are permitted to access and update records for the purposes of trading or clearing Investment Tokens on the facility, including criteria about the integrity, credentials and competencies appropriate to the roles played by such persons;
(ii) measures to address risks, including to network security and network compatibility, that may arise through systems used by Persons permitted to update the records on the DLT application;
(iii) processes to ensure that the Authorised Market Institutions undertakes sufficient due diligence and adequate monitoring of ongoing compliance, relating to the matters referred to in (i) and (ii); and
(iv) measures to ensure there are appropriate restrictions on the transferability of Investment Tokens in order to address AML and CFT risks;
(c) ensure any DLT application used for its facility is fit for purpose; and
(d) have regard to industry best practices in developing its technology design and technology governance relating to DLT that is used by the facility.
Guidance
1. To be fit for purpose, the technology design of the DLT application used by an Authorised Market Institution Operating a facility for Investment Tokens should be able to address how the rights and obligations relating to the Investment Tokens traded on that facility are properly managed and capable of being exercised or performed. For example, where a Investment Token confers rights and obligations substantially similar to those conferred by a Share in a company, the DLT application would generally need to enable the management and exercise of the shareholder’s rights. These may, for example, include the right to receive notice of, and vote in, shareholder meetings, receive any declared dividends and participate in the assets of the company in a winding up.
2. To ensure the technology governance of any DLT application used on its facility is fit for purpose, an Authorised Market Institution should, as a minimum, have regard to the following:
a. careful maintenance and development of the relevant systems and architecture in terms of its code version control, implementation of updates, issue resolution, and regular internal and third party testing;
b. security measures and procedures for the safe storage and transmission of data in accordance with agreed protocols;
c. procedures to address changes in the protocol which result in modifications of or the splitting of the underlying distributed ledger into two or more separate ledgers (often referred to as a ‘forks’), whether or not the new protocol is backwards compatible with the previous version;
d. procedures to deal with system outages, whether planned or not, and errors;
e. decision-making protocols and accountability for decisions;
f. procedures for establishing and managing interfaces with Digital wallet Service Providers; and
g. whether the protocols, smart contracts and other inbuilt features of the DLT application meet at least a minimum acceptable level of reliability and safety requirements, including to deal with a cyber or hacking attack, and how any resulting disruptions would be resolved.
3. Credentials which indicate a Person is suitable to update records for the purposes of trading or clearing Investment Tokens on the facility may include:
a. accreditation by a recognised and reputable body to certify the requisite knowledge required; or
b. accreditation by the relevant body to certify compliance with the Kazakhstani standards in the area.