Entire Act

12-1. RULES APPLICABLE TO AUTHORISED FIRMS OPERATING A FACILITY FOR QUALIFIED INVESTMENT TOKENS

Guidance

Operating a facility for Qualified Investment Tokens is defined in GLO as Operating a Multilateral Trading Facility or Operating an Organised Trading Facility on which Qualified Investment Tokens are traded.

12-1.1 Technology and governance requirements

A Trading Facility Operator must:

(a) establish and maintain policies and procedures to ensure that any DLT application used in connection with the facility operates on the basis of ‘permissioned’ access, such that it allows the operator to have and maintain adequate control over the Persons who are permitted to access and update records held on that DLT application;

(b) establish and maintain adequate measures to ensure that the DLT application it uses, and the associated rules and protocols, contain:

(i) clear criteria governing Persons who are permitted to access and update records for the purposes of trading or clearing Qualified Investment Tokens on the facility, including criteria about the integrity, credentials and competencies appropriate to the roles played by such Persons;

(ii) measures to address risks, including to network security and network compatibility, that may arise through systems used by Persons permitted to update the records on the DLT application;

(iii) processes to ensure that the Trading Facility Operator undertakes sufficient due diligence and adequate monitoring of ongoing compliance, relating to the matters referred to in (i) and (ii); and

(iv) measures to ensure there are appropriate restrictions on the transferability of Qualified Investment Tokens in order to address AML and CFT risks;

(c) ensure any DLT application used for its facility is fit for purpose; and

(d) have regard to industry best practices in developing its technology design and technology governance relating to DLT that it uses.

Guidance

1. To be fit for purpose, the technology design of the DLT application used by a Trading Facility Operator should be able to address how the rights and obligations relating to the Qualified Investment Tokens traded on that facility are properly managed and capable of being exercised or performed. For example, where a Qualified Investment Token confers rights and obligations substantially similar to those conferred by a Share in a company, the DLT application would generally need to enable the management and exercise of the shareholder’s rights. These may, for example, include the right to receive notice of, and vote in, shareholder meetings, receive any declared dividends and participate in the assets of the company in a winding up.

2. To ensure the technology governance of any DLT application used on its facility is fit for purpose, a Trading Facility Operator should, as a minimum, have regard to the following:

a. careful maintenance and development of the relevant systems and architecture in terms of its code version control, implementation of updates, issue resolution, and regular internal and third party testing;

b. security measures and procedures for the safe storage and transmission of data in accordance with agreed protocols;

c. procedures to address changes in the protocol which result in modifications of or the splitting of the underlying distributed ledger into two or more separate ledgers (often referred to as a ‘fork’), whether or not the new protocol is backwards compatible with the previous version;

d. procedures to deal with system outages, whether planned or not, and errors;

e. decision-making protocols and accountability for decisions;

f. procedures for establishing and managing interfaces with Digital wallet Service Providers; and

g. whether the protocols, smart contracts and other inbuilt features of the DLT application meet at least a minimum acceptable level of reliability and safety requirements, which should be appropriately justified, including to deal with a cyber or hacking attack, and how any resulting disruptions would be resolved.

3. Some parts of trading Qualified Investment Tokens, for example, order matching, may take place ‘offchain’ (i.e. not using DLT). In those circumstances, the operator should still maintain adequate control over Persons who are undertaking those activities, as they are agents or delegates of the operator.

12-1.2. Safe custody of Qualified Investment Tokens

A Trading Facility Operator must ensure that:

(1) Where its safe custody arrangements involve acting as a Digital wallet Service Provider, it complies with the following requirements for Authorised Firms Providing Custody for Qualified Investment Tokens:

(a)   a Digital wallet Service Provider must ensure that:

(i)     any DLT application it uses in Providing Custody for Qualified Investment Tokens is resilient, reliable and compatible with any relevant facility on which those Qualified Investment Tokens are traded or cleared;

(ii)    it has the ability to clearly identify and segregate Qualified Investment Tokens belonging to different Clients; and

(iii)  it has in place appropriate procedures to enable it to confirm Client instructions and transactions, maintain appropriate records and data relating to those instructions and transactions and to conduct a reconciliation of those transactions at appropriate intervals.

(b)   a Digital wallet Service Provider, in developing and using DLT applications and other technology to provide custody of Qualified Investment Tokens, must ensure that:

(i)     the architecture of any Digital wallet used adequately addresses compatibility issues and associated risks;

(ii)    the technology used and its associated procedures have adequate security measures (including cyber security) to enable the safe storage and transmission of data relating to the Qualified Investment Tokens;

(iii)  the security and integrity of cryptographic keys are maintained through the use of that technology, taking into account the password protection and methods of encryption used;

(iv)  there are adequate measures to address any risks specific to the methods of usage and storage of cryptographic keys (or their equivalent) available under the DLT application used; and

(v)   the technology is compatible with the procedures and protocols built into the operating rules or equivalent on any facility on which the Qualified Investment Tokens are traded or cleared or both traded and cleared.

 

(2) Where it appoints a Third Party Digital wallet Service Provider to provide custody for Qualified Investment Tokens traded or cleared on its facility, that Person is either:

(a) an Authorised Firm permitted to be a Digital wallet Service Provider; or

(b) a firm that is regulated by a Financial Services Regulator to an equivalent level as that provided for under the AFSA regime for Digital wallet Service Providers.

12-1.3. Provision of key features document

An Authorised Firm must not provide a Financial Service to which this Chapter applies to a Person unless it has provided that Person with a key features document containing the information in COB 4.6.

12-1.4. Technology audit reports

A Trading Facility Operator must:

(a) appoint a suitably qualified and independent third party professional to:

(i) carry out an annual audit of the Trading Facility Operator’s compliance with the technology resources and governance requirements that apply to it;

(ii) produce a written report which sets out the methodology and results of that annual audit;

(iii) confirm whether the requirements referred to in (i) have been met; and

(iv) list any recommendations or areas of concern;

(b) submit to the AFSA a copy of the report referred to in (a)(ii) within 4 months of the Trading Facility Operator’s financial year end; and

(c) be able to satisfy the AFSA that the independent third party professional who undertakes the annual audit has the relevant expertise to do so, including by reference to the due diligence undertaken by the Trading Facility Operator to satisfy itself of that fact.

Guidance

Where a Trading Facility Operator appoints a third party professional for the purposes of (a)(i) and (ii), the Trading Facility Operator is expected to ensure that the professional is suitably qualified.

Credentials which indicate a qualified and independent third party professional is suitable to conduct audits of technology governance may include:

(1) designation as a Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM) by the Information Systems Audit and Control Association (ISACA); or

(2) designation as a Certified Information Systems Security Professional (CISSP) by the International Information System Security Certification Consortium (ISC); or

(3) accreditation by a recognised and reputable body to certify compliance with relevant ISO/IEC 27000 series standards; or

(4) accreditation by the relevant body to certify compliance with the Kazakhstani standards in the area of information (cyber) security.