3.3.1. Mandatory appointments

(1) In addition to the mandatory appointments required by GEN 2.1., a Digital Asset Service Provider must appoint a Chief Information Technology Officer, who is an individual responsible for its ongoing information technology (“IT”) operations, maintenance and security oversight to ensure that the Digital Asset Service Provider’s IT systems are reliable and adequately protected from external attack or incident.

(2) AFSA may direct a Digital Asset Service Provider to appoint a Risk Manager.

3.3.2. Board of Directors of a Digital Asset Service Provider

(1) A Digital Asset Service Provider must have an effective Board of Directors which is collectively accountable for ensuring that the Digital Asset Service Provider's business is managed prudently and soundly. At least one-third of the Board of Directors should comprise independent Directors.

Note: Rule 2.3.2(1) will come into force 12 months after the commencement of these Rules.

(2) The AFSA may issue guidance on the requirements relating to Board composition, structure, duties and powers as well as skills, experience and qualifications of Directors, and other relevant requirements.

(3) The Board must ensure that there is a clear division between its responsibility for setting the strategic aims and undertaking the oversight of the Digital Asset Service Provider and the senior management’s responsibility for managing the Digital Asset Service Provider’s business in accordance with the strategic aims and risk parameters set by the Board as well as applicable law and regulation.

(4) The Board and its committees must have an appropriate balance of skills, experience, independence, and knowledge of the Digital Asset Service Provider’s business, and adequate resources, including access to expertise as required and timely and comprehensive information relating to the affairs of the Digital Asset Service Provider.

(5) The Board must ensure that the Digital Asset Service Provider has an adequate, effective, well-defined and well-integrated risk management, internal control and compliance framework.

(6) The Board must ensure that the rights of shareholders are properly safeguarded through appropriate measures that enable the shareholders to exercise their rights effectively, promote effective dialogue with shareholders and other key stakeholders as appropriate, and prevent any abuse or oppression of minority shareholders.

(7) The Board must ensure that the Digital Asset Service Provider’s financial and other reports present an accurate, balanced and understandable assessment of the Digital Asset Service Provider’s financial position and prospects by ensuring that there are effective internal risk control and reporting requirements.

(8) A Director of the Digital Asset Service Provider must act:

(a)  on a fully informed basis;

(b) in good faith;

(c) honestly;

(d) with due skill, care and diligence; and

(e) in the best interests of the Digital Asset Service Provider and its shareholders and users. 

3.4.1. Systems and controls

(1) A Digital Asset Service Provider must ensure that it implements systems and controls necessary to address the risks, including cybersecurity-related risks, to its business. The relevant systems and controls should take into account such factors that include but are not limited to the nature, scale and complexity of the Digital Asset Service Provider’s business, the diversity of its operations, the volume and size of transactions made using its facilities and the level of risk inherent with its business and activities.

(2) A Digital Asset Service Provider must have adequate systems and controls to enable it to calculate and monitor its capital resources and its compliance with the requirements in DAA 3.2. The systems and controls must be in writing and must be appropriate for the nature, scale and complexity of the Digital Asset Service Provider’s business and its risk profile.

3.4.2. Technology governance and risk assessment framework

(1) A Digital Asset Service Provider must implement a technology governance and risk assessment framework which must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent in its business model.

(2) The technology governance and risk assessment framework must apply to all technologies relevant to a Digital Asset Service Provider’s business and clearly set out the Digital Asset Service Provider’s cybersecurity objectives, including the requirements for the competency of its relevant Employees and, as relevant, end users and Clients, and there must be in place clearly defined systems and procedures necessary for managing risks.

(3) A Digital Asset Service Provider must ensure that its technology governance and risk assessment is capable of determining the necessary processes and controls that it must implement in order to adequately mitigate any risks identified. In particular, a Digital Asset Service Provider must ensure that its technology governance and risk assessment framework includes consideration of international standards and industry best practice codes.

(4) A Digital Asset Service Provider must ensure that its technology governance and risk assessment framework incorporates appropriate governance policies and system development controls, such as a development, maintenance and testing process for technology systems and operations controls, back-up controls, capacity and performance planning and availability testing.

3.4.3. Cyber-security matters

A Digital Asset Service Provider must take reasonable steps to ensure that its IT systems are reliable and adequately protected from external attack or incident, as well as from risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems of third-party suppliers, agents and others). A Digital Asset Service Provider must ensure there are the necessary resources in place to manage these risks..

3.4.4. Cyber-security policy

(1) A Digital Asset Service Provider must create and implement a policy which outlines its procedures for the protection of its electronic systems.

(2) A Digital Asset Service Provider must ensure that its cyber-security policy is reviewed at least on an annual basis by its Chief Information Technology Officer, and that such review is provided to the Board of Directors.

(3) The cyber-security policy must, as a minimum, address the following areas:

(a) information security;

(b) data governance and classification;

(с) access controls;

(d) business continuity and disaster recovery planning and resources;

(e) capacity and performance planning;

(f) systems operations and availability concerns;

(g) systems and network security, consensus protocol methodology, code and smart contract validation and audit processes;

(h) systems and application development and quality assurance;

(i) physical security and environmental controls, including but not limited to procedures around access to premises and systems;

(j) customer data privacy;

(k) procedures regarding facilitation of Digital Asset transactions initiated by a Client including, but not limited to, considering multi-factor authentication or any better standard for Digital Asset transactions that—

(i) exceed transaction limits set by the Client, such as accumulative transaction limits over a period of time; and

(ii) are initiated after a material change of personal details by the Client, such as the address of a Digital wallet;

(l) procedures regarding Client authentication and session controls including, but not limited to, the maximum number of incorrect attempts permitted for entering a password, appropriate time-out controls and password validity periods;

(m) procedures establishing adequate authentication checks when a change to a Client’s account information or contact details is requested;

(n) vendor and third-party service provider management;

(o) monitoring and implementing changes to core protocols not directly controlled by the Digital Asset Service Provider, as applicable;

(p) incident response, including but not limited to, root cause analysis and rectification activities to prevent reoccurrence;

(q) governance framework and escalation procedures for effective decision-making and proper management and control of risks and emergency incidents, including but not limited to responses to ransomware and other forms of cyberattacks; and

(r) hardware and infrastructure standards, including but not limited to network lockdown, services/desktop security and firewall standards.

(4) A Digital Asset Service Provider must consider the impact of any outsourcing arrangements, as well as the interoperability risks when dealing with systems and software provided by third parties, where applicable.

(5) A Digital Asset Service Provider must ensure all staff receive appropriate training in relation to cybersecurity.

(6) A Digital Asset Service Provider must inform the AFSA as soon as practicable if it becomes aware, or has reasonable grounds to believe, that a significant breach by any Person of its cyber-security may have occurred.

3.4.5. Cryptographic keys and Digital wallets management procedure

(1) A Digital Asset Service Provider must ensure that its cryptographic keys and Digital wallets management procedure addresses, to the extent necessary, the generation of cryptographic keys and Digital wallets, the signing and approval of transactions, the storage of cryptographic keys and seed phrases, and Digital wallets creation and management thereof.

(2) A Digital Asset Service Provider must:

(a) safeguard access to Digital Assets in accordance with industry best practices and, in particular, ensure that there is no single point of failure in the Digital Asset Service Provider’s access to, or knowledge of, Digital Assets held by the Digital Asset Service Provider;

(b) adopt industry best practices for storing the private keys of Clients, including ensuring that keys stored online or in one physical location are not capable of being used to conduct a Digital Asset transaction, unless appropriate controls are in place to ensure that access by an unauthorised individual is insufficient to conduct a transaction;

(c) ensure that backups of the key and seed phrases are stored in a separate location from the primary key or seed phrase;

(d) adopt strict access management controls to manage access to keys, including an audit log detailing each change of access to keys; and

(e) adopt procedures designed to be able to immediately revoke a key signatory’s access.

(3) A Digital Asset Service Provider must:

(a) ensure that the key generation process ensures that revoked signatories do not have access to the backup seed phrase or knowledge of the phrase used in the key’s creation;

(b) perform internal audits on a quarterly basis concerning the removal of user access by reviewing access logs and verifying access as appropriate;

(c) implement and maintain a procedure for documenting the onboarding and offboarding of staff;

(d) implement and maintain a procedure for documenting a Digital Asset Service Provider’s permission to grant or revoke access to each role in its key management system; and

(e) regularly assess the security of its IT systems or software integrations with external parties and ensure that the appropriate safeguards are implemented in order to mitigate all relevant risks.

(4) A Digital Asset Service Provider should provide information to Clients on measures they can take to protect their keys or seed phrases from misuse or unauthorised access, and the consequences of sharing their private keys and other security information.

(5) A Digital Asset Service Provider must ensure that access to its systems and data may only be granted to individuals with a demonstrable business need and implement safeguards to ensure the proper identification of all individuals, including the maintenance of an access log.

3.4.6. On-going monitoring

For the purposes of meeting the requirement in DAA 3.4.1, a Digital Asset Service Provider must have adequate procedures and arrangements for the evaluation, selection and on-going maintenance and monitoring of its IT systems. Such procedures and arrangements must, at a minimum, provide for:

(a) problem management and system change;

(b) testing IT systems before live operations in accordance with the requirements in DAA 3.4.7;

(c) real time monitoring and reporting on system performance, availability and integrity; and

(d) adequate measures to ensure:

(i) IT systems are resilient and not prone to failure;

(ii) business continuity in the event that an IT system fails;

(iii) protection of IT systems from damage, tampering, misuse or unauthorised access; and

(iv)  the integrity of data forming part of, or being processed through, IT systems.

3.4.7. Testing and audit of technology systems

(1) A Digital Asset Service Provider must, before commencing live operation of its IT systems or any updates thereto, use development and testing methodologies in line with internationally accepted testing standards in order to test the viability and effectiveness of such systems. For this purpose, the testing must be adequate for the Digital Asset Service Provider to obtain reasonable assurance that, among other things:

(a)  the systems enable it to comply with all the applicable requirements on an on-going basis;

(b)  the systems can continue to operate effectively in stressed market conditions;

(c)  the systems have sufficient electronic capacity to accommodate reasonably foreseeable volumes of messaging and orders; and

(d)  any risk management controls embedded within the systems, such as generating automatic error reports, work as intended.

(2) A Digital Asset Service Provider must to undergo a qualified independent third-party technology governance and IT audit to conduct vulnerability assessments and penetration testing at least on an annual basis.

(3) A Digital Asset Service Provider must engage a qualified independent third-party auditor to audit any new systems, applications and products prior to their use.

(4) A Digital Asset Service Provider must provide the results of technology governance and IT assessments and tests to the AFSA promptly upon its request.

3.4.8. Technology audit reports

(1) This Rule applies to a Digital Asset Service Provider that:

(a) holds or controls Digital Assets;

(b) relies on DLT or similar technology to carry on one or more of the following Regulated Activities in relation to Digital Assets:

(i) Dealing in Investments as Principal;

(ii) Dealing in Investments as Agent;

(iii) Arranging Deals in Investments;

(iv) Managing Investments;

(v) Advising on Investments;

(vi) Providing Custody; or

(vii) Arranging Custody; or

(viii) is Managing a Collective Investment Scheme where 10% or more of the gross asset value of the Fund Property of the Fund consists of Digital Assets.

(2) The Authorised Firm must:

(a) appoint a suitably qualified independent third-party professional to:

(i) carry out an annual audit of the Authorised Firm’s compliance with the technology resources and governance requirements that apply to it; and

(ii) produce a written report which sets out the methodology and results of that annual audit, confirms whether the requirements referred to in DAA 3.4.7 have been met and lists any recommendations or areas of concern;

(b) submit to the AFSA a copy of the report referred to in DAA 3.4.8. (2)(a)(ii) within 6 months of the financial year end; and

(c) be able to satisfy the AFSA that the independent third party professional appointed to carry out the annual audit has the relevant expertise to do so, and that the Authorised Firm has done proper due diligence to satisfy itself of that fact.

Guidance:

Credentials which indicate a qualified independent third-party auditor is suitable to conduct audit of technology governance and IT systems may include:

(1) designation as a Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM) by the Information Systems Audit and Control Association (ISACA);

(2) designation as a Certified Information Systems Security Professional (CISSP) by the International Information System Security Certification Consortium (ISC);

(3) accreditation by a recognised and reputable body to certify compliance with relevant ISO/IEC 27000 series standards; or

(4) accreditation by the relevant body to certify compliance with the Kazakhstani standards in the area of information (cyber) security.

3.5.1. Policies and procedures required for Digital Asset Service Providers

(1) A Digital Asset Service Provider carrying out a Regulated Activity of Advising on Investments must establish, implement and enforce appropriate written internal policies and procedures relating to the following:

(a) how it ensures the independent basis of its advice;

(b) how it explains the range of Digital Assets considered in providing its advice;

(c) how it ensures all Directors and Employees providing the relevant advice are sufficiently competent; and

(d) such other policies and procedures as the AFSA may require from time to time.

(2) A Digital Asset Service Provider carrying out Regulated Activities of Dealing in Investments as Principal or Agent must establish, implement and enforce appropriate written internal policies and procedures relating to the following:

(a) the prohibition, detection, prevention or deterrence of market offences and any other abusive practices within their business or using their services including, but not limited to, relevant internal rules, compliance programmes, sanctioning policies and powers;

(b) Execution and routing of Client orders;

(c) the ability of Clients to have access to and withdraw their Digital Assets including, but not limited to, during periods of high uncertainty or extreme volatility; and

(d) such other policies and procedures as the AFSA may require from time to time.

(3) A Digital Asset Service Provider carrying out a Regulated Activity of Providing Custody must establish, implement and enforce appropriate written internal policies and procedures relating to the following:

(a) the ability of Clients to have access to and withdraw their Digital Assets including, but not limited to, during periods of high uncertainty or extreme volatility; and

(b) such other policies and procedures as the AFSA may require from time to time.

(4) A Digital Asset Service Provider carrying on a Regulated Activity of Managing Investments must establish, implement and enforce appropriate written internal policies and procedures relating to the following:

(a) the ability of Clients to have access to and withdraw their Digital Assets including, but not limited to, during periods of high uncertainty or extreme volatility;

(b) their assessment of Client suitability for relevant products or services, including but not limited to the nature, features, costs, complexity and risks of investment services, Digital Assets or other financial instruments selected for their Clients;

(c) how they ensure all Directors and Employees Managing Investments to Clients are sufficiently competent;

(d) the nature and frequency of reports to be provided to Clients; and

(e) such other policies and procedures as the AFSA may require from time to time.

(5) All Digital Asset Service Providers specified in (1) to (4) must assess and, in any case, at least yearly review the effectiveness of their policies and procedures and take appropriate measures to address any deficiencies.

3.5.2. Public disclosures

(1) All Digital Asset Service Providers specified in (1) to (4) in DAA 3.5.1. must publish on their website in a prominent place or make available by other publicly accessible means:

(a) a detailed description of any actual or potential conflicts of interest arising out of their activities, and how these are managed; and

(b) their policies and procedures relating to data privacy, whistleblowing and handling of Client complaints.

(2) In addition to (1), a Digital Asset Service Provider carrying out a Regulated Activity of Advising on Investments must publish on their website in a prominent place or make available by other publicly accessible means:

(a) a statement of whether the Digital Asset Service Provider refers or introduces Clients to other Persons including, but not limited to, other Digital Asset Service Providers, and if so, a description of the terms of such arrangements, and the monetary or non-monetary benefits received by the Digital Asset Service Provider, including by way of reciprocation for any service or business; and

(b) a statement of whether the Digital Asset Service Provider has accounts, funds or Digital Assets maintained by a third party and if so, provide the identity of that third party.

(3) In addition to (1), a Digital Asset Service Provider carrying out Regulated Activities of Dealing in Investments as Principal or Agent must publish on their website in a prominent place or make available by other publicly accessible means:

(a) a statement as to the Digital Asset Service Provider’s arrangements for the protection of Clients’ ownership of assets held by the Digital Asset Service Provider;

(b) a statement of whether the Digital Asset Service Provider refers or introduces Clients to other Persons including, but not limited to, other Digital Asset Service Providers and, if so, a description of the terms of such arrangements and the monetary or non-monetary benefits received by the Digital Asset Service Provider, including by way of reciprocation for any service or business; and

(c) a statement of whether the Digital Asset Service Provider has accounts, funds or Digital Assets maintained by a third party and if so, provide the identity of that third party.

(4) In addition to (1), a Digital Asset Service Provider carrying out a Regulated Activity of Providing Custody must publish on its website in a prominent place or make available by other publicly accessible means a statement of whether the Digital Asset Service Provider has accounts, funds or Digital Assets maintained by a third party and if so, provide the identity of that third party.

(5) In addition to (1), a Digital Asset Service Provider carrying out a Regulated Activity of Managing Investments must publish on its website in a prominent place or make available by other publicly accessible means:

(a) a statement as to the ability of Clients to have access to and withdraw their Digital Assets, particularly in times of extreme volatility;

(b) a statement as to the Digital Asset Service Provider’s arrangements for the protection of Clients’ assets held by the Digital Asset Service Provider;

(c) a statement as to how it protects Client Digital Assets from a counterparty risk;

(d) a statement as to how in the course of Managing Investments, Client Digital Assets are used and how Clients’ interests in relation to those Digital Assets are thereby respected;

(e) a statement explaining that Client Digital Assets used by the Digital Asset Service Provider in the course of Managing Investments may be at risk, including the types and nature of such risks, and a statement on the likelihood and severity of any losses which may be suffered;

(f) a statement in relation to order execution by the Digital Asset Service Provider, which includes an explanation of how orders will be executed;

(g) a statement as to how liquidity risk is managed; and

(h) such other information as the AFSA may require from time to time.

3.6.1. Verification of information

(1) In addition to requirements set out in Chapter 3 of the COB, a Digital Asset Service Provider Advising on Investments must provide advice which does not contain statements, promises, forecasts or other types of information which it knows or suspects to be misleading, false or deceptive or which it should have reasonably known to be misleading, false or deceptive at the time of making such statement, promise or forecast.

(2) Prior to making any statement, promise or forecast, a Digital Asset Service Provider Advising on Investments must verify factual information against appropriate and reliable source materials and must use all reasonable endeavours to verify the continued accuracy of such information.

3.6.2. Methodology

A Digital Asset Service Provider in the course of Advising on Investments must assess a broad range of Digital Assets available to the Client which should be sufficiently diverse such that the Client’s investment objectives, as agreed with the Digital Asset Service Provider, are met. A Digital Asset Service Provider must be clear with Clients what range of Digital Assets have been considered in the course of Advising on Investments.

3.6.3. Appropriateness test

(1) A Digital Asset Service Provider Arranging Deals in Investments must not carry on a Regulated Activity with or for a Retail Client unless the Digital Asset Service Provider has carried out an appropriateness test of the Retail Client and formed a reasonable view that the Retail Client has:

(a) adequate skills and expertise to understand the risks involved in trading in Digital Assets or Digital Asset Derivatives (as the case may be); and

(b) the ability to absorb potentially significant losses resulting from trading in Digital Assets or Digital Asset Derivatives (as the case may be).

(2) A Digital Asset Service Provider must maintain records of the appropriateness test that it carries out in respect of each Retail Client and make such records available to the AFSA on request.

(3) A Digital Asset Service Provider must have appropriate systems and controls and policies and procedures to determine the appropriateness of Retail Clients

Guidance:

(1) To form a reasonable view referred to in DAA 3.6.3.(1) in relation to a Retail Client, a Digital Asset Service Provider should consider issues such as whether the Retail Client:

(a) has sufficient knowledge and experience relating to the type of a Digital Asset or Digital Asset Derivative offered, having regard to such factors as:

(i) how often and in what volumes that Person has traded in the relevant type of a Digital Asset or Digital Asset Derivative; and

(ii) the Retail Client’s relevant qualifications, profession or former profession;

(b) understands the characteristics and risks relating to Digital Assets or Digital Asset Derivatives, and the volatility of their prices;

(c) understands the impact of leverage, due to which, there is potential to make significant losses in trading in Digital Assets or Digital Asset Derivatives; and

(d) has the ability, particularly in terms of net assets and liquidity available to the Retail Client, to absorb and manage any losses that may result from trading in the Digital Assets or Digital Asset Derivatives offered.

(2) To be able to demonstrate to the AFSA that it complies with DAA 3.6.3., a Digital Asset Service Provider should have in place systems and controls that include:

(a) pre-determined and clear criteria against which a Retail Client’s ability to trade in Digital Assets or Digital Asset Derivatives can be assessed;

(b) adequate records to demonstrate that the Digital Asset Service Provider has undertaken the appropriateness test for each Retail Client; and

(c) in the case of an existing Retail Client with whom the Digital Asset Service Provider has previously traded in Digital Assets or Digital Asset Derivatives, procedures to undertake a fresh appropriateness test on at least an annual basis, and if:

(i) a new Digital Asset or Digital Asset Derivative with a materially different risk profile is offered to the Retail Client; or

(ii) there has been a material change in the Retail Client’s circumstances.

(3) If a Digital Asset Service Provider forms the view that it is not appropriate for a Person to trade in Digital Assets or Digital Asset Derivatives, the Digital Asset Service Provider should refrain from offering that service to the Person. As a matter of good practice, the Digital Asset Service Provider should inform the Person of its decision.

3.7.1. Requirements for Digital Asset Service Providers Providing Custody of Digital Assets

(1) A Digital wallet Service Provider must ensure that:

(a) they are recorded, registered and held in an appropriate manner to safeguard and control them, including the fact that they must be held separately from the Digital Asset Service Provider's own Digital Assets.

(b) any DLT application it uses in Providing Custody of Digital Assets is resilient, reliable and compatible with any relevant facility on which the Digital Assets are traded or cleared;

(c) it has in place Client agreements which specify the basis on which it holds Digital Assets on behalf of its Clients, and in particular whether they are held:

(i) on a segregated basis, in which case the Digital Asset Service Provider which is a Digital wallet Service Provider needs to clearly identify and segregate Digital Assets belonging to different Clients; or

(ii) on an omnibus basis, in which case the Digital Asset Service Provider which is a Digital wallet Service Provider needs to ensure at all times that the total amount and type of Digital Assets held for Clients at all times matches the amounts it has agreed to hold for all its Clients, and that there are clear records regarding the amount of Digital Assets held for each Client; and

(d) it has in place appropriate procedures to enable it to confirm Client instructions and transactions, maintain appropriate records and data relating to those instructions and transactions and to conduct a reconciliation of those transactions at appropriate intervals.

(2) A Digital wallet Service Provider must ensure that, in developing and using DLT applications and other technology to Provide Custody of Digital Assets:

(a) the architecture of any Digital wallet used adequately addresses potential compatibility issues and associated risks;

(b) the technology used and its associated procedures have adequate security measures (including enabling adequate cyber security) to enable the safe storage and transmission of data relating to the Digital Assets;

(c) the security and integrity of cryptographic keys are maintained through the use of that technology, taking into account the password protection and methods of encryption used;

(d) there are adequate measures to address any risks specific to the methods of usage and storage of cryptographic keys (or their equivalent) available under the DLT application used; and

(e) the technology is compatible with the procedures and protocols built into the relevant rules or equivalent procedures and protocols on any facility on which the Digital Assets are traded or cleared or both traded and cleared.

(3) Digital Assets held by the Digital Asset Service Provider Providing Custody are not depository liabilities or assets of the Digital Asset Service Provider and the Digital Asset Service Provider must hold them on trust.

(4) A Digital Asset Service Provider Providing Custody of Digital Assets must segregate the Digital Assets of each Client in separate Digital wallets containing the Digital Assets of that Client only.

(5) A Digital Asset Service Provider Providing Custody must maintain control of each Digital Asset at all times while Providing Custody.

(6) A Digital Asset Service Provider Providing Custody must:

(a) have appropriate rules, procedures, and controls, including robust accounting practices, to safeguard the rights of Digital Assets issuers and holders, prevent the unauthorised creation or deletion of Digital Assets, and conduct daily reconciliation of each Digital Asset balance it maintains for issuers and holders;

(b) prohibit overdrafts and credit balances in Digital Assets account;

(c) maintain Digital Assets in an immobilised or dematerialised form for their transfer by book entry;

(d) protect assets against custody risk through appropriate rules and procedures consistent with its legal framework;

(e) ensure segregation between its own assets and the Digital Assets of its participants, as well as keeping clear records regarding which Digital Assets belong to which participant; and

(f) identify, measure, monitor, and manage its risks from other activities that it may perform.

Guidance:

Where an Authorised Person which is a Digital wallet Service Provider delegates any functions to a Third Party Digital wallet Service provider, it must ensure that the delegate fully complies with the requirements of DAA 3.7.1. and the outsourcing and delegation requirements of GEN 5.2.

Delegation of any functions to a Third Party Digital wallet Service provider must not affect a Digital wallet Service Provider’s responsibility for the full and proper performance of those functions.

3.7.2. Digital wallet management

(1) Requirements in relation to Hot and Cold Digital wallet storage.

(a) A Digital wallet Service Provider must at all times maintain appropriate certifications as may be required under industry best practices applicable to the safekeeping of Digital Assets.

(b) Where a Digital wallet Service Provider uses a variety of storage mechanisms for Digital Assets, the Digital wallet Service Provider should conduct a risk-based analysis to determine the appropriate method of Digital Asset storage for different Digital Assets.

(c) Where a Digital wallet Service Provider uses a single storage mechanism for Digital Assets, the Digital wallet Service Provider should explicitly disclose to Clients any limitations regarding the suitability of that storage mechanism for different Digital Assets.

(d) A Digital wallet Service Provider should document in detail the methodology for determining when Digital Assets are transferred to and from Digital wallets. The mechanisms for transfer between different types of Digital wallets should be well documented and subject to internal controls and audits performed by an independent third-party auditor.

(2) Seed or key generation, storage, and use.

(a) To ensure a secure generation mechanism, a Digital wallet Service Provider must use industry best standards to create the seed, including by using asymmetric private and public key combinations, or other similar mechanisms.

(b) A Digital wallet Service Provider must consider all risks associated with producing a private key or seed for a signatory including whether the signatory should be involved in the generation process or whether creators of the seed, private key, or other similar mechanism should be prohibited from cryptographically signing any transaction or from having access to any relevant systems.

(c) A Digital wallet Service Provider must adopt industry best practices when using encryption and secure device storage for a Client’s private keys when not in use.

(d) A Digital wallet Service Provider must ensure that any keys stored online or in one physical location are not capable of being used to conduct a Digital Asset transaction, unless appropriate controls are in place to ensure that access by an unauthorised individual is insufficient to conduct a transaction.

(e) All key and seed backups must be stored in a separate location from the primary key and seed. Key and seed backups must be stored with encryption at least equal to the encryption used to protect the primary seed and key.

(f) Digital wallet Service Providers must mitigate the risk of collusion between all authorised parties or signatories who are able to authorise the movement, transfer or withdrawal of Digital Assets held on behalf of Clients. The risk of collusion and other internal points of failure should be addressed during recurring operational risk assessments.

(3) Lost or stolen keys.

(1) Digital wallet Service Providers must establish and maintain effective policies and procedures in the event that any seed or cryptographic keys of any Digital wallet are lost or otherwise compromised.

(2) The policy and procedures must address matters including but not limited to:

(a) recovery of affected Digital Assets;

(b) timely communications with all Clients and counterparties regarding consequences arising from relevant incidents and measures being taken to remedy such consequences;

(c) cooperation with law enforcement agencies and regulatory bodies; and

(d) if applicable, preparation of winding down arrangements and public disclosure of such arrangements.

3.7.3. Contractual arrangement

A Digital Asset Service Provider that is Providing Custody for a Client should provide such activity based on a contractual arrangement. Under such an arrangement a Client is lawfully in control of, or entitled to control, a Digital Asset. Transfers of control of the Digital Asset to a Digital Asset Service Provider solely for the purpose of receiving custody services does not in any way transfer to the Digital Asset Service Provider any legal interest in the Digital Asset or any discretionary authority not stated in the Client Agreement or otherwise agreed to by the Client.

3.7.4. Client Agreement for a Digital Asset Service Provider Providing Custody of Digital Assets

A Digital Asset Service Provider Providing Custody of Digital Assets must enter into a Client Agreement with each Client that includes:

(a) a breakdown of all fees and charges payable to or via the Digital Asset Service Provider and when they are charged;

(b) any information required to carry out a transfer;

(с) the form and procedures for giving consent to a transfer;

(d) an indication of the time it will normally take to carry out a transfer;

(е) details of when a transfer will be considered to be complete;

(f) how, and in what form, information and communications relating to transfer services will be provided to the Client, including the timing and frequency of communications, the language used and any technical requirements for the Client’s equipment and software to receive the communications;

(g) clear policies and procedures relating to unauthorised or incorrectly executed transfers, including the circumstances in which the Client is and is not entitled to redress;

(h) clear policies and procedures relating to how situations where the holding or transfer of Digital Assets may have been compromised are dealt with, such as if there has been hacking, theft or fraud;

(i) details of the procedures the Authorised Firm will follow to contact the Client, or which the Client may use to contact the Authorised Firm if there has been suspected or actual hacking, theft or fraud; and

(j) the mechanisms by which the Client can keep track of Digital Assets held with the Digital Asset Service Provider.

3.7.5. Client accounts

(1) A Digital Asset Service Provider which Provides Custody or holds or controls Client Digital Assets must register or record all Digital Assets in the legal title of a Client Account or

, where this is not feasible, for example, due a legal requirement or market practice, the Digital Asset Service Provider.

(2) A Client Account is an account which:

(a) is held with a Third Party Agent or by a Digital Asset Service Provider which is authorised under its Licence to carry on the Regulated Activity of Providing Custody;

(b) is established to hold Client Digital Assets;

(c) when held by a Third Party Agent, is maintained in the name of;

(i) if a Domestic Firm, the Digital Asset Service Provider; or

(ii) if not a Domestic Firm, a Nominee Company controlled by the Digital Asset Service Provider; and

(d) includes the words ‘Client Account’ in its title.

(3) A Digital Asset Service Provider must maintain a master list of all Client Accounts for 6 years  from the closure of the relevant acount that must detail:

(a) the name of the account;

(b) the account number;

(c) the location of the account;

(d) whether the account is currently open or closed; and

(e) the date of opening or closure.

(4) A Digital Asset Service Provider which intends to use the Client’s Digital Assets for its own purpose or that of another Person, must have systems and controls in place to ensure that:

(a) it obtains that Client’s prior explicit informed written consent to such use, and that Clients are aware of the risks incurred in giving such consent;

(b) adequate records are maintained to record how Digital Assets are applied as collateral or used for stock lending activities;

(c) equivalent assets are returned to the Client Account of the Client; and

(d) the Client is not disadvantaged by such use of his Digital Assets in any way in which the Client has not explicitly consented to.

3.7.6. Client disclosure

(1) Before a Digital Asset Service Provider arranges custody for a Client it must disclose to that Client, if applicable, that the Client’s Digital Assets may be held in a jurisdiction outside the AIFC and that the market practices, insolvency and legal regime applicable in that jurisdiction may differ from the regime applicable in the AIFC.

(2) Before a Digital Asset Service Provider provides custody for a Client it must disclose to the Client on whose behalf the Digital Assets will be held:

(a) the arrangements for recording and registering Digital Assets, claiming and receiving any entitlements, and the giving and receiving instructions relating to them;

(b) the obligations the Digital Asset Service Provider will have to the Client in relation to exercising rights on behalf of the Client;

(b) the basis on which, and any terms governing the way in which, Digital Assets will be held, including any rights which the Digital Asset Service Provider may have to realise Digital Assets held on behalf of the Client in satisfaction of a default by the Client;

(d) the method and frequency with which the Digital Asset Service Provider will report to the Client in relation to his Digital Assets;

(e) if applicable, a statement that the Digital Asset Service Provider intends to pool Digital Assets with those of other Clients;

(f) if applicable, a statement that the Client’s Digital Assets may be held in a jurisdiction outside the AIFC and the market practices, insolvency and legal regime applicable in that jurisdiction may differ from the regime applicable in the AIFC;

(g) if applicable, a statement that the Digital Asset Service Provider holds or intends to hold Digital Assets in a Client Account with a Third Party Agent which is in the same Group as the Digital Asset Service Provider; and

(h) the extent of the Digital Asset Service Provider’s liability in the event of default by a Third Party Agent, and any rights that the Client may have in respect of the Third Party Agent.

3.7.7. Client reporting

(1) A Digital Asset Service Provider which provides custody or which holds or controls Digital Assets for a Client must send a statement to each Client at least every 6 months.

(2) The statement must include:

(a) a list of that Client’s Digital Assets as at the date of reporting;

(b) a list of that Client’s Collateral and the market value of that Collateral as at the date of reporting; and

(c) details of any Client Money held by the Digital Asset Service Provider as at the date of reporting.

(3) The statement must be sent to the Client within 25 business days of the statement date.

3.7.8. Reconciliation

(1) A Digital Asset Service Provider which carries out a Regulated Activity of Providing Custody or Arranging Custody must:

(a) (where the Digital Asset Service Provider is Arranging Custody) at least every 25 business days reconcile its records of Client Accounts held with Third Party Agents with monthly statements received from those Third Party Agents in respect of each individual Client’s ledger balances; or

(b) (where the Digital Asset Service Provider is Providing Custody) at least every 25 business days perform an internal custody record reconciliation in respect of each individual Client’s ledger balances.

(2) A Digital Asset Service Provider must ensure that the process of reconciliation does not involve any conflict of interest in terms of providing a full and accurate reconciliation.

3.7.9. Requirements where shortfalls or discrepancies are detected

(1) Where a Digital Asset Service Provider identifies a discrepancy as a result of carrying out an internal record check or an external custody reconciliation, the Digital Asset Service Provider must:

(a) promptly take all reasonable steps to investigate and resolve the discrepancy;

(b) take appropriate steps for the treatment of any shortfalls until the discrepancy is resolved;

(c) take reasonable steps to avoid a recurrence of any identifiable action which resulted in the discrepancy; and

(d) notify the AFSA where the discrepancy is material or otherwise cannot be promptly resolved.

(2) A discrepancy should not be considered resolved until it is investigated fully and corrected, and any associated shortfall is resolved by the Digital Asset Service Provider ensuring that:

(a) it is holding the correct Digital Assets for each of its Clients; and

(b) its own records, and the records of any relevant Third Party Digital wallet Service Provider, are accurate.

(3) Where a shortfall is detected, until such a shortfall is resolved, the Digital Asset Service Provider must do one of the following:

(a) allocate a specific number of its own applicable Digital Assets to cover the value of the shortfall and hold them in such a way for the relevant Clients so that the proceeds of their liquidation will be available for the benefit of the relevant Clients in the event of the Digital Asset Service Provider’s failure; or

(b) appropriate a sufficient amount of its own money to cover the value of the shortfall and hold it for the relevant Client(s).

(4) The value of any shortfall must be determined by reference to the previous day’s closing mark to market valuation of the relevant Digital Assets, or, if that information is not available in relation to a particular Digital Asset, the most recently available valuation information. If the value of a Digital Asset is volatile or there are any other reasons which make it difficult to value, the Digital Asset Service Provider should consider whether it is appropriate to set aside an additional amount to cover any change in the value of the shortfall.

(5) Until the discrepancy is resolved the Digital Asset Service Provider must consider whether it would be appropriate to notify affected Client(s) of the situation. In considering whether to notify Clients, the Digital Asset Service Provider must act honestly, fairly and professionally and in the best interests of its Client(s).

Guidance

(1) A Digital Asset Service Provider should maintain a clear separation of duties to ensure that all Employees with responsibility for operating Client Accounts, or who have authority over Digital Assets held for Clients, should not perform the reconciliations under DAA 3.7.8.

(2) Reconciliations performed in accordance with DAA 3.7.8. must be reviewed by a member of the Digital Asset Service Provider who is a member of the Board.

(3) The individual referred to in (2) must provide a written statement confirming that the reconciliation has been undertaken in accordance with the requirements of DAA 3.7.8 and this Guidance.

(4) A material discrepancy includes discrepancies which have the cumulative effect of being material, such as longstanding discrepancies.

3.8.1. Verification of information

(1) In addition to requirements set out in Chapter 3 of the COB, a Digital Asset Service Provider Managing Investments or a Collective Investment Scheme must not provide statements, promises, forecasts or other types of information which it knows or suspects to be misleading, false or deceptive or which it should have reasonably known to be misleading, false or deceptive at the time of making such statement, promise or forecast.

(2) Prior to making any statement, promise or forecast, a Digital Asset Service Provider Managing Investments or a Collective Investment Scheme must verify factual information against appropriate and reliable source materials and must use all reasonable endeavours to verify the continued accuracy of such information (for as long as such information is communicated by or on behalf of the Digital Asset Service Provider). A Digital Asset Service Provider should state the date on which the information was last verified in the relevant communication.

3.8.2. Client reporting and valuation

(1) A Digital Asset Service Provider Managing Investments or a Collective Investment Scheme must, at least monthly, provide to each of its Clients a written statement containing the following information:

(a) the total value of Digital Assets in a Client’s account; and

(b) the change in amount and valuation of Digital Assets in a Client’s account during the relevant reporting period.

(2) A Digital Asset Service Provider Managing Investments or a Collective Investment Scheme must ensure that all assets under management are subject to ongoing independent valuation.

(3) A Digital Asset Service Provider Managing Investments or a Collective Investment Scheme must have comprehensive and well documented valuation policies and procedures in place to ensure the production of timely and accurate statement in accordance with DAA 3.8.2. (1).

3.8.3. Risk management and due diligence

(1) A Digital Asset Service Provider Managing Investments or a Collective Investment Scheme must ensure that liquidity risk and market risk are each monitored and tested regularly, and appropriate measures are in place as required to address any such risk in a prompt manner.

(2) All such risk management and due diligence must be audited by an independent third party on an annual basis and provided to the AFSA upon request.

3.8.4. Content of confirmation notes

For the purposes of COB 9.1.3., a Digital Asset Service Provider Managing a Collective Investment Scheme must include the following general information:

(a) the Digital Asset Service Provider’s name and address;

(b) a description of the Digital Assets;

(c) whether the Transaction is a sale or purchase;

(d) the price or unit price at which the Transaction was executed;

(e) if applicable, a statement that the Transaction was executed on an execution-only basis;

(f) the date and time of the Transaction;

(g) the amount the Digital Asset Service Provider charges in connection with the Transaction, including Commission charges and the amount of any Mark-up or Mark-down, Fees, taxes or duties;

(h) the amount or basis of any amounts received from another Person in connection with the services; and

(i) a statement that the price at which the Transaction has been Executed is on a Historic Price or Forward Price basis, as the case may be.

(2) A Digital Asset Service Provider may combine items (f) and (j) above in respect of a Transaction where the Client has requested a note showing a single price combining both of these items.

3.9.1. Content of confirmation notes

For the purposes of COB 9.1.3., a Digital Asset Service Provider must include the following general information:

(a) the Digital Asset Service Provider’s name and address;

(b) whether the Digital Asset Service Provider executed the Transaction as principal or agent;

(c) a description of the Digital Asset;

(d) whether the Transaction is a sale or purchase;

(e) the price or unit price at which the Transaction was executed;

(f) if applicable, a statement that the Transaction was executed on an execution-only basis;

(g) the date and time of the Transaction;

(h) the total amount payable by the Client and the date on which it is due;

(i) the amount the Digital Asset Service Provider charges in connection with the Transaction, including Commission charges and the amount of any Mark-up or Mark-down, Fees, taxes or duties; and

(j) the amount or basis of any amounts received from another Person in connection with the services.

(2) A Digital Asset Service Provider may combine items (f) and (j) above in respect of a Transaction where the Client has requested a note showing a single price combining both of these items.

3.9.2. Appropriateness test

(1) A Digital Asset Service Provider Dealing in Investments as Principal or Agent must not carry on a Regulated Activity with or for a Retail Client unless the Digital Asset Service Provider has carried out an appropriateness test of the Retail Client and formed a reasonable view that the Retail Client has:

(a) adequate skills and expertise to understand the risks involved in trading in Digital Assets or Digital Asset Derivatives (as the case may be); and

(b) the ability to absorb potentially significant losses resulting from trading in Digital Assets or Digital Asset Derivatives (as the case may be).

(2) A Digital Asset Service Provider must maintain records of the appropriateness test that it carries out in respect of each Retail Client and make such records available to the AFSA on request.

(3) A Digital Asset Service Provider must have appropriate systems and controls and policies and procedures to determine the appropriateness of Retail Clients

Guidance:

(1) To form a reasonable view referred to in DAA 3.9.2.(1) in relation to a Retail Client, a Digital Asset Service Provider should consider issues such as whether the Retail Client:

(a) has sufficient knowledge and experience relating to the type of a Digital Asset or Digital Asset Derivative offered, having regard to such factors as:

(i) how often and in what volumes that Person has traded in the relevant type of a Digital Asset or Digital Asset Derivative; and

(ii) the Retail Client’s relevant qualifications, profession or former profession;

(b) understands the characteristics and risks relating to Digital Assets or Digital Asset Derivatives, and the volatility of their prices;

(c) understands the impact of leverage, due to which, there is potential to make significant losses in trading in Digital Assets or Digital Asset Derivatives; and

(d) has the ability, particularly in terms of net assets and liquidity available to the Retail Client, to absorb and manage any losses that may result from trading in the Digital Assets or Digital Asset Derivatives offered.

(2) To be able to demonstrate to the AFSA that it complies with DAA 3.9.2., a Digital Asset Service Provider should have in place systems and controls that include:

(a) pre-determined and clear criteria against which a Retail Client’s ability to trade in Digital Assets or Digital Asset Derivatives can be assessed;

(b) adequate records to demonstrate that the Digital Asset Service Provider has undertaken the appropriateness test for each Retail Client; and

(c) in the case of an existing Retail Client with whom the Digital Asset Service Provider has previously traded in Digital Assets or Digital Asset Derivatives, procedures to undertake a fresh appropriateness test on at least an annual basis, and if:

(i) a new Digital Asset or Digital Asset Derivative with a materially different risk profile is offered to the Retail Client; or

(ii) there has been a material change in the Retail Client’s circumstances.

(3) If a Digital Asset Service Provider forms the view that it is not appropriate for a Person to trade in Digital Assets or Digital Asset Derivatives, the Digital Asset Service Provider should refrain from offering that service to the Person. As a matter of good practice, the Digital Asset Service Provider should inform the Person of its decision.

3.10.1. Provision of key features document to Person

(1) A Digital Asset Service Provider which carries on any one or more of the following Regulated Activities in relation to Digital Assets:

(a)   Dealing in Investments as Principal;

(b)   Dealing in Investments as Agent;

(c)   Advising on Investments; and

(d)   Arranging Deals in Investments.

must not provide that service or services to a Person unless it has provided the Person with a key features document.

(2) The key features document must contain the following information if known (or, if not known after having taken reasonable steps to determine this information, a clear statement must be provided that such information is not known):

(a) risks associated with and essential characteristics of the Digital Assets, including where appropriate making reference to the location of any publicly available white paper setting out the features of the Digital Assets;

(b) risks associated with and essential characteristics of the Digital Asset;

(с) whether the Digital Asset is admitted to trading within the AIFC;

(d) (where the Digital Asset Service Provider is involved in Providing Custody or Arranging Custody of the Digital Asset) whether the Client, the Digital Asset Service Provider or a third party is responsible for providing a Digital wallet service in respect of the Digital Asset, and any related risks (including at whose risk the Client’s Digital Assets are held in the Digital wallet, whether it is accessible online or stored offline, what happens if keys to the Digital wallet are lost and what procedures can be followed in such an event);

(e) how the Client may exercise any rights conferred by the Digital Assets; and

(f) any other information relevant to the particular Digital Asset which would reasonably assist the Client to to make informed decisions in respect of it.

(3) The key features document must be provided in good time before the relevant service is provided to a Client, so that the Client to make an informed decision about whether to use the relevant service.

(4) The key features document does not need to be provided to a Client to whom the Digital Asset Service Provider has previously provided that information, if there has been no significant change since the information was previously provided.

(5) A Digital Asset Service Provider may use a key features document prepared by another Person if it has taken reasonable steps to ensure that the information in that document is complete, accurate and up to date.

(6) If a Digital Asset Service Provider provides a Client with a key features document prepared by another Person, the Digital Asset Service Provider remains accountable to the Client to whom the key features document is provided as if that document were prepared by the Digital Asset Service Provider itself.

3.10.2. Risk warnings

(1) A Digital Asset Service Provider must display prominently on its website the following risk warnings relating to Digital Assets:

(a) (except in the case of a Central Bank Digital Currency) that Digital Assets are not legal tender or backed by a government;

(b) that Digital Assets are subject to extreme volatility and the value of the Digital Asset can fall  quickly (including, in respect of a Fiat stablecoin or Commodity stablecoin, if it loses its stability peg);

(c) that an investor in Digital Assets may lose all, or part, of the value of their investment;

(d) that Digital Assets may not always be liquid or transferable;

(e) that investments in Digital Assets may be complex making it hard to understand the risks associated with participating in them;

(f) that Digital Assets can be stolen because of cyber attacks;

(g) that trading in Digital Assets is susceptible to irrational market forces;

(h) that the nature of Digital Assets may lead to an increased risk of Financial Crime;

(i) there being limited or, in some cases, no mechanisms for the recovery of lost or stolen Digital Assets;

(j) the risks of Digital Assets with regard to anonymity, irreversibility of transactions, accidental transactions, transaction recording, and settlement;

(k) that the nature of Digital Assets means that technological difficulties experienced by a Digital Asset Trading Facility Operator may prevent access to or use of a Client’s Digital Assets;

(l) that participating in Digital Assets is not comparable to participating in traditional investments such as Securities; and

(m) that there is no recognised compensation scheme to provide an avenue of redress for aggrieved participants.

(2) If a Digital Asset Service Provider presents any marketing or educational materials and other communications relating to a Digital Asset on a website, in the general media or as part of a distribution made to existing or potential new Clients, it must include the risk warning referred to in 3.10.2 (1) in a prominent place at or near the top of each page of the materials or communication.

(3) If the material referred to in 3.10.2 (1) is provided on a website or an application that can be downloaded to a mobile device, the warning must be:

(a) statically fixed and visible at the top of the screen even when a person scrolls up or down the webpage;

(b) included on each linked webpage on the website; and

(c) If, due to limitations on the medium of communication used, it is not practicable to provide the material referred to in DAA 2.8.10(1), reference may be made instead to the fact that participation in Digital Assets is a high risk investment, accompanied with a link to the relevant section of the Digital Asset Service Provider’s website where the material referred to in DAA 2.8.10 (1) is provided.

3.10.3. Past performance and forecasts of Digital Assets

(1) A Digital Asset Service Provider must ensure that any information or representation relating to past performance, or any future forecast based on past performance or other assumptions, which is provided to or targeted at Retail Clients:

(a) presents a fair and balanced view of the Digital Assets and associated services to which the information or representation relates;

(b) identifies, in an easy-to-understand manner, the source of information from which the past performance is derived and any key facts and assumptions used in that context are clearly explained; and

(c) contains a clear and prominent warning that past performance is not necessarily a reliable indicator of future results. 

(2) A Digital Asset Service Provider should in providing information about the past performance of a Digital Asset:

(a) consider the knowledge and sophistication of the audience to whom the information is targeted;

(b) fully disclose the source and the nature of the past performance presented;

(с) ensure that the time period used is not an inappropriately short period, or a selective period, that is potentially misleading; and

(d) if a comparison is being made, the comparison is fair, clear and not misleading.

3.11.1. Investment limits

A Digital Asset Service Provider must maintain effective systems and controls to ensure its compliance with the requirements and limits imposed by the Rules on Currency Regulation and Provision of Information on Currency Transactions in the AIFC when dealing with a Retail Client who is a resident of the Republic of Kazakhstan.

3.11.2. Calculation of an individual Client’s net assets

(1) For the purposes of calculating an individual Client’s net assets to treat him as an Assessed Professional Client under Rule 2.5.1(a) of the COB, the Digital Asset Service Provider:

(a) must exclude the value of the primary residence of the Client;

(b) must exclude Digital Assets belonging to the Client that are not admitted to trading;

(c) must include only 30% of the market value of a Digital Asset admitted to trading, which belongs to the Client, but must include 100% of the market value of Fiat and Commodity stablecoins backed by reserves, which belong to the Client; and

(d) may include any other assets held directly or indirectly by that Client.

3.13.1. Obligation to report to the AFSA

(1) A Digital Asset Service Provider must submit to the AFSA a quarterly report that should include its financial statement, its income statement, a calculation of its relevant capital resources and  a statement of its compliance and any non-compliance with these Rules.

(2) A Digital Asset Service Provider must provide the following information to the AFSA within 6 months after financial year end:

(a) the number of prospective clients which the Digital Asset Service Provider rejected during the reporting period;

(b) the number of Clients which were offboarded during the reporting period;

(c) the number of Clients where enhanced due diligence was applied;

(d) the total number of the Digital Asset Service Provider’s Clients;

(e) the number of Clients originating from a high risk jurisdiction;

(f) the number of Clients on-boarded on a face-to-face basis;

(g) a description of any changes to the Client onboarding process;

(h) the number of suspicious transaction reports filed during the reporting period;

(i) the number of individuals supporting the MLRO;

(j) when the Digital Asset Service Provider’s risk assessment was last updated and if there were any additional risks;

(j) (if applicable) the number of private keys held;

(k) (if applicable) whether Client’s Digital Assets are held with a third party custodian;

(l)whether the Digital Asset Service Provider forms part of a group, and if so, the group structure;

(m) whether the Digital Asset Service Provider entered into any resource sharing agreements and, if so, the names of the counterparty/company;

(n)whether the Digital Asset Service Provider outsources any of its functions and, if so, any changes to the functions outsourced and to which companies;

(o) an overview of any involvement of the Digital Asset Service Provider’s shareholders in the day-to-day operations of the Digital Asset Service Provider during the reporting period; and

(p) an overview of any instances of market abuse encountered by the Digital Asset Service Provider during the reporting period.

(3) The AFSA may request a Digital Asset Service Provider to submit other returns. The AFSA from time to time may prescribe the required list of returns to be submitted and the returns templates to be used.

(4)  Returns submitted to the AFSA must be signed by two (2) Approved Individuals and one of them must be approved to exercise the Finance Officer function.

3.13.2. Obligation to notify the AFSA

If a Digital Asset Service Provider becomes aware, or has a reasonable ground to believe, that it is or may be (or may be about to be) in breach of any of these Rules it must:

(a) notify the AFSA in writing about the breach and the relevant circumstances immediately and not later than within 1 business day of becoming aware of it; and

(b) not make any cash transfers or payments or transfers of liquid assets to its Affiliates or Related Persons, whether by way of dividends or otherwise, without the AFSA’s written consent. 

Guidance:

In dealing with a breach, or possible breach, of this part, the AFSA’s primary concern will be the interests of existing and prospective Clients, the potential adverse impact on market participants,  and market stability. The AFSA recognises that there will be circumstances in which a problem may be resolved quickly, for example, by support from a parent entity, without jeopardising the interests of Clients and other stakeholders. In such circumstances, it will be in the interests of all parties to minimise the disruption to the firm’s business. The AFSA's will normally seek to work cooperatively with the Digital Asset Service Provider in stressed situations to deal with any problems. There will, however, be circumstances in which it is necessary to take regulatory action to avoid exposing market participants, Clients and other stakeholders to the potential adverse consequences of the Digital Asset Service Provider’s Failure, and the AFSA will not hesitate to take appropriate action if it considers this necessary.