Main
>
Legal Framework
>
3.3. Governance
FINANCIAL SERVICES LEGISLATION
RULES
AIFC RULES ON DIGITAL ASSET ACTIVITIES
3. RULES APPLICABLE TO DIGITAL ASSET SERVICE PROVIDERS
3.1. Authorisation of Digital Asset Service Providers
3.2. Requirements for Digital Asset Service Providers
3.12. Prohibitions
3.14. AFSA power to impose requirements
Entire Act

3.3. Governance

3.3.1. Mandatory appointments

(1) In addition to the mandatory appointments required by GEN 2.1., a Digital Asset Service Provider must appoint a Chief Information Technology Officer, who is an individual responsible for its ongoing information technology (“IT”) operations, maintenance and security oversight to ensure that the Digital Asset Service Provider’s IT systems are reliable and adequately protected from external attack or incident.

(2) AFSA may direct a Digital Asset Service Provider to appoint a Risk Manager.

3.3.2. Board of Directors of a Digital Asset Service Provider

(1) A Digital Asset Service Provider must have an effective Board of Directors which is collectively accountable for ensuring that the Digital Asset Service Provider's business is managed prudently and soundly. At least one-third of the Board of Directors should comprise independent Directors.

Note: Rule 2.3.2(1) will come into force 12 months after the commencement of these Rules.

(2) The AFSA may issue guidance on the requirements relating to Board composition, structure, duties and powers as well as skills, experience and qualifications of Directors, and other relevant requirements.

(3) The Board must ensure that there is a clear division between its responsibility for setting the strategic aims and undertaking the oversight of the Digital Asset Service Provider and the senior management’s responsibility for managing the Digital Asset Service Provider’s business in accordance with the strategic aims and risk parameters set by the Board as well as applicable law and regulation.

(4) The Board and its committees must have an appropriate balance of skills, experience, independence, and knowledge of the Digital Asset Service Provider’s business, and adequate resources, including access to expertise as required and timely and comprehensive information relating to the affairs of the Digital Asset Service Provider.

(5) The Board must ensure that the Digital Asset Service Provider has an adequate, effective, well-defined and well-integrated risk management, internal control and compliance framework.

(6) The Board must ensure that the rights of shareholders are properly safeguarded through appropriate measures that enable the shareholders to exercise their rights effectively, promote effective dialogue with shareholders and other key stakeholders as appropriate, and prevent any abuse or oppression of minority shareholders.

(7) The Board must ensure that the Digital Asset Service Provider’s financial and other reports present an accurate, balanced and understandable assessment of the Digital Asset Service Provider’s financial position and prospects by ensuring that there are effective internal risk control and reporting requirements.

(8) A Director of the Digital Asset Service Provider must act:

(a)  on a fully informed basis;

(b) in good faith;

(c) honestly;

(d) with due skill, care and diligence; and

(e) in the best interests of the Digital Asset Service Provider and its shareholders and users.