Entire Act

6.6. [intentionally omitted]

6.6.1. Cyber-security policy

(1)An Authorised Digital Asset Trading Facility shall implement a written cyber security policy setting forth its policies and procedures for the protection of its electronic systems and members and counterparty data stored on those systems, which shall be reviewed and approved by the Authorised Digital Asset Trading Facility’s governing body at least annually.

(2)The cyber security policy must, as a minimum, address the following areas:

  1. (a)information security;
  2. (b)data governance and classification;
  3. (c)access controls;
  4. (d)business continuity and disaster recovery planning and resources;
  5. (e)capacity and performance planning;
  6. (f)systems operations and availability concerns;
  7. (g)systems and network security;
  8. (h)systems and application development and quality assurance;
  9. (i)physical security and environmental controls;
  10. (j)customer data privacy;
  11. (k)vendor and third-party service provider management; and

(l)incident response.

(3)An Authorised Digital Asset Trading Facility must advise the AFSA immediately if it becomes aware, or has reasonable grounds to believe, that a significant breach by any Person of its cyber security policy may have occurred or may be about to occur.

6.6.2. Technology governance

An Authorised Digital Asset Trading Facility must, as a minimum, have in place systems and controls with respect to the procedures describing the creation, management and control of digital wallets and private keys.


6.6.3. Trading controls

An Authorised Digital Asset Trading Facility must be able to:

  1. (a)reject orders that exceed its pre-determined volume and price thresholds, or that are clearly erroneous;
  2. (b)temporarily halt or constrain trading on its facilities if necessary or desirable to maintain an orderly market; and
  3. (c)cancel, vary, or correct any order resulting from an erroneous order entry and/or the malfunctioning of the system of a Member.

6.6.4. Settlement and Clearing facilitation services

(1)An Authorised Digital Asset Trading Facility must ensure that satisfactory arrangements are made for securing the timely discharge (whether by performance, compromise or otherwise), clearing and settlement of the rights and liabilities of the parties to transactions effected on the Authorised Digital Asset Trading Facility (being rights and liabilities in relation to those transactions).

(2)An Authorised Digital Asset Trading Facility acting as a Digital Asset Depository must:

  1. (a)have appropriate rules, procedures, and controls, including robust accounting practices, to safeguard the rights of Digital Assets issuers and holders, prevent the unauthorised creation or deletion of Digital Assets, and conduct periodic and at least daily reconciliation of each Digital Asset balance it maintains for issuers and holders;
  2. (b)prohibit overdrafts and debit balances in Digital Assets accounts;
  3. (c)maintain Digital Assets in an immobilised or dematerialised form for their transfer by book entry;
  4. (d)protect assets against custody risk through appropriate rules and procedures consistent with its legal framework;
  5. (e)ensure segregation between the Digital Asset Depository’s own assets and the Digital Assets of its participants and segregation among the Digital Assets of participants; and 
  6. (f)identify, measure, monitor, and manage its risks from other custody related activities that it may perform.