Main
>
Legal Framework
>
3.7. Requirements for Digital Asset Service Providers Providing and Arranging Custody
FINANCIAL SERVICES LEGISLATION
RULES
AIFC RULES ON DIGITAL ASSET ACTIVITIES
3. RULES APPLICABLE TO DIGITAL ASSET SERVICE PROVIDERS
3.1. Authorisation of Digital Asset Service Providers
3.2. Requirements for Digital Asset Service Providers
3.12. Prohibitions
3.14. AFSA power to impose requirements
Entire Act

3.7. Requirements for Digital Asset Service Providers Providing and Arranging Custody

3.7.1. Requirements for Digital Asset Service Providers Providing Custody of Digital Assets

(1) A Digital wallet Service Provider must ensure that:

(a) they are recorded, registered and held in an appropriate manner to safeguard and control them, including the fact that they must be held separately from the Digital Asset Service Provider's own Digital Assets.

(b) any DLT application it uses in Providing Custody of Digital Assets is resilient, reliable and compatible with any relevant facility on which the Digital Assets are traded or cleared;

(c) it has in place Client agreements which specify the basis on which it holds Digital Assets on behalf of its Clients, and in particular whether they are held:

(i) on a segregated basis, in which case the Digital Asset Service Provider which is a Digital wallet Service Provider needs to clearly identify and segregate Digital Assets belonging to different Clients; or

(ii) on an omnibus basis, in which case the Digital Asset Service Provider which is a Digital wallet Service Provider needs to ensure at all times that the total amount and type of Digital Assets held for Clients at all times matches the amounts it has agreed to hold for all its Clients, and that there are clear records regarding the amount of Digital Assets held for each Client; and

(d) it has in place appropriate procedures to enable it to confirm Client instructions and transactions, maintain appropriate records and data relating to those instructions and transactions and to conduct a reconciliation of those transactions at appropriate intervals.

(2) A Digital wallet Service Provider must ensure that, in developing and using DLT applications and other technology to Provide Custody of Digital Assets:

(a) the architecture of any Digital wallet used adequately addresses potential compatibility issues and associated risks;

(b) the technology used and its associated procedures have adequate security measures (including enabling adequate cyber security) to enable the safe storage and transmission of data relating to the Digital Assets;

(c) the security and integrity of cryptographic keys are maintained through the use of that technology, taking into account the password protection and methods of encryption used;

(d) there are adequate measures to address any risks specific to the methods of usage and storage of cryptographic keys (or their equivalent) available under the DLT application used; and

(e) the technology is compatible with the procedures and protocols built into the relevant rules or equivalent procedures and protocols on any facility on which the Digital Assets are traded or cleared or both traded and cleared.

(3) Digital Assets held by the Digital Asset Service Provider Providing Custody are not depository liabilities or assets of the Digital Asset Service Provider and the Digital Asset Service Provider must hold them on trust.

(4) A Digital Asset Service Provider Providing Custody of Digital Assets must segregate the Digital Assets of each Client in separate Digital wallets containing the Digital Assets of that Client only.

(5) A Digital Asset Service Provider Providing Custody must maintain control of each Digital Asset at all times while Providing Custody.

(6) A Digital Asset Service Provider Providing Custody must:

(a) have appropriate rules, procedures, and controls, including robust accounting practices, to safeguard the rights of Digital Assets issuers and holders, prevent the unauthorised creation or deletion of Digital Assets, and conduct daily reconciliation of each Digital Asset balance it maintains for issuers and holders;

(b) prohibit overdrafts and credit balances in Digital Assets account;

(c) maintain Digital Assets in an immobilised or dematerialised form for their transfer by book entry;

(d) protect assets against custody risk through appropriate rules and procedures consistent with its legal framework;

(e) ensure segregation between its own assets and the Digital Assets of its participants, as well as keeping clear records regarding which Digital Assets belong to which participant; and

(f) identify, measure, monitor, and manage its risks from other activities that it may perform.

 

 

Guidance:

Where an Authorised Person which is a Digital wallet Service Provider delegates any functions to a Third Party Digital wallet Service provider, it must ensure that the delegate fully complies with the requirements of DAA 3.7.1. and the outsourcing and delegation requirements of GEN 5.2.

Delegation of any functions to a Third Party Digital wallet Service provider must not affect a Digital wallet Service Provider’s responsibility for the full and proper performance of those functions.

3.7.2. Digital wallet management

(1) Requirements in relation to Hot and Cold Digital wallet storage.

(a) A Digital wallet Service Provider must at all times maintain appropriate certifications as may be required under industry best practices applicable to the safekeeping of Digital Assets.

(b) Where a Digital wallet Service Provider uses a variety of storage mechanisms for Digital Assets, the Digital wallet Service Provider should conduct a risk-based analysis to determine the appropriate method of Digital Asset storage for different Digital Assets.

(c) Where a Digital wallet Service Provider uses a single storage mechanism for Digital Assets, the Digital wallet Service Provider should explicitly disclose to Clients any limitations regarding the suitability of that storage mechanism for different Digital Assets.

(d) A Digital wallet Service Provider should document in detail the methodology for determining when Digital Assets are transferred to and from Digital wallets. The mechanisms for transfer between different types of Digital wallets should be well documented and subject to internal controls and audits performed by an independent third-party auditor.

(2) Seed or key generation, storage, and use.

(a) To ensure a secure generation mechanism, a Digital wallet Service Provider must use industry best standards to create the seed, including by using asymmetric private and public key combinations, or other similar mechanisms.

(b) A Digital wallet Service Provider must consider all risks associated with producing a private key or seed for a signatory including whether the signatory should be involved in the generation process or whether creators of the seed, private key, or other similar mechanism should be prohibited from cryptographically signing any transaction or from having access to any relevant systems.

(c) A Digital wallet Service Provider must adopt industry best practices when using encryption and secure device storage for a Client’s private keys when not in use.

(d) A Digital wallet Service Provider must ensure that any keys stored online or in one physical location are not capable of being used to conduct a Digital Asset transaction, unless appropriate controls are in place to ensure that access by an unauthorised individual is insufficient to conduct a transaction.

(e) All key and seed backups must be stored in a separate location from the primary key and seed. Key and seed backups must be stored with encryption at least equal to the encryption used to protect the primary seed and key.

(f) Digital wallet Service Providers must mitigate the risk of collusion between all authorised parties or signatories who are able to authorise the movement, transfer or withdrawal of Digital Assets held on behalf of Clients. The risk of collusion and other internal points of failure should be addressed during recurring operational risk assessments.

(3) Lost or stolen keys.

(1) Digital wallet Service Providers must establish and maintain effective policies and procedures in the event that any seed or cryptographic keys of any Digital wallet are lost or otherwise compromised.

(2) The policy and procedures must address matters including but not limited to:

(a) recovery of affected Digital Assets;

(b) timely communications with all Clients and counterparties regarding consequences arising from relevant incidents and measures being taken to remedy such consequences;

(c) cooperation with law enforcement agencies and regulatory bodies; and

(d) if applicable, preparation of winding down arrangements and public disclosure of such arrangements.

3.7.3. Contractual arrangement

A Digital Asset Service Provider that is Providing Custody for a Client should provide such activity based on a contractual arrangement. Under such an arrangement a Client is lawfully in control of, or entitled to control, a Digital Asset. Transfers of control of the Digital Asset to a Digital Asset Service Provider solely for the purpose of receiving custody services does not in any way transfer to the Digital Asset Service Provider any legal interest in the Digital Asset or any discretionary authority not stated in the Client Agreement or otherwise agreed to by the Client.

3.7.4. Client Agreement for a Digital Asset Service Provider Providing Custody of Digital Assets

A Digital Asset Service Provider Providing Custody of Digital Assets must enter into a Client Agreement with each Client that includes:

(a) a breakdown of all fees and charges payable to or via the Digital Asset Service Provider and when they are charged;

(b) any information required to carry out a transfer;

(с) the form and procedures for giving consent to a transfer;

(d) an indication of the time it will normally take to carry out a transfer;

(е) details of when a transfer will be considered to be complete;

(f) how, and in what form, information and communications relating to transfer services will be provided to the Client, including the timing and frequency of communications, the language used and any technical requirements for the Client’s equipment and software to receive the communications;

(g) clear policies and procedures relating to unauthorised or incorrectly executed transfers, including the circumstances in which the Client is and is not entitled to redress;

(h) clear policies and procedures relating to how situations where the holding or transfer of Digital Assets may have been compromised are dealt with, such as if there has been hacking, theft or fraud;

(i) details of the procedures the Authorised Firm will follow to contact the Client, or which the Client may use to contact the Authorised Firm if there has been suspected or actual hacking, theft or fraud; and

(j) the mechanisms by which the Client can keep track of Digital Assets held with the Digital Asset Service Provider.

3.7.5. Client accounts

(1) A Digital Asset Service Provider which Provides Custody or holds or controls Client Digital Assets must register or record all Digital Assets in the legal title of a Client Account or

, where this is not feasible, for example, due a legal requirement or market practice, the Digital Asset Service Provider.

(2) A Client Account is an account which:

(a) is held with a Third Party Agent or by a Digital Asset Service Provider which is authorised under its Licence to carry on the Regulated Activity of Providing Custody;

(b) is established to hold Client Digital Assets;

(c) when held by a Third Party Agent, is maintained in the name of;

(i) if a Domestic Firm, the Digital Asset Service Provider; or

(ii) if not a Domestic Firm, a Nominee Company controlled by the Digital Asset Service Provider; and

(d) includes the words ‘Client Account’ in its title.

(3) A Digital Asset Service Provider must maintain a master list of all Client Accounts for 6 years  from the closure of the relevant acount that must detail:

(a) the name of the account;

(b) the account number;

(c) the location of the account;

(d) whether the account is currently open or closed; and

(e) the date of opening or closure.

(4) A Digital Asset Service Provider which intends to use the Client’s Digital Assets for its own purpose or that of another Person, must have systems and controls in place to ensure that:

(a) it obtains that Client’s prior explicit informed written consent to such use, and that Clients are aware of the risks incurred in giving such consent;

(b) adequate records are maintained to record how Digital Assets are applied as collateral or used for stock lending activities;

(c) equivalent assets are returned to the Client Account of the Client; and

(d) the Client is not disadvantaged by such use of his Digital Assets in any way in which the Client has not explicitly consented to.

3.7.6. Client disclosure

(1) Before a Digital Asset Service Provider arranges custody for a Client it must disclose to that Client, if applicable, that the Client’s Digital Assets may be held in a jurisdiction outside the AIFC and that the market practices, insolvency and legal regime applicable in that jurisdiction may differ from the regime applicable in the AIFC.

(2) Before a Digital Asset Service Provider provides custody for a Client it must disclose to the Client on whose behalf the Digital Assets will be held:

(a) the arrangements for recording and registering Digital Assets, claiming and receiving any entitlements, and the giving and receiving instructions relating to them;

(b) the obligations the Digital Asset Service Provider will have to the Client in relation to exercising rights on behalf of the Client;

(b) the basis on which, and any terms governing the way in which, Digital Assets will be held, including any rights which the Digital Asset Service Provider may have to realise Digital Assets held on behalf of the Client in satisfaction of a default by the Client;

(d) the method and frequency with which the Digital Asset Service Provider will report to the Client in relation to his Digital Assets;

(e) if applicable, a statement that the Digital Asset Service Provider intends to pool Digital Assets with those of other Clients;

(f) if applicable, a statement that the Client’s Digital Assets may be held in a jurisdiction outside the AIFC and the market practices, insolvency and legal regime applicable in that jurisdiction may differ from the regime applicable in the AIFC;

(g) if applicable, a statement that the Digital Asset Service Provider holds or intends to hold Digital Assets in a Client Account with a Third Party Agent which is in the same Group as the Digital Asset Service Provider; and

(h) the extent of the Digital Asset Service Provider’s liability in the event of default by a Third Party Agent, and any rights that the Client may have in respect of the Third Party Agent.

3.7.7. Client reporting

(1) A Digital Asset Service Provider which provides custody or which holds or controls Digital Assets for a Client must send a statement to each Client at least every 6 months.

(2) The statement must include:

(a) a list of that Client’s Digital Assets as at the date of reporting;

(b) a list of that Client’s Collateral and the market value of that Collateral as at the date of reporting; and

(c) details of any Client Money held by the Digital Asset Service Provider as at the date of reporting.

(3) The statement must be sent to the Client within 25 business days of the statement date.

3.7.8. Reconciliation

(1) A Digital Asset Service Provider which carries out a Regulated Activity of Providing Custody or Arranging Custody must:

(a) (where the Digital Asset Service Provider is Arranging Custody) at least every 25 business days reconcile its records of Client Accounts held with Third Party Agents with monthly statements received from those Third Party Agents in respect of each individual Client’s ledger balances; or

(b) (where the Digital Asset Service Provider is Providing Custody) at least every 25 business days perform an internal custody record reconciliation in respect of each individual Client’s ledger balances.

(2) A Digital Asset Service Provider must ensure that the process of reconciliation does not involve any conflict of interest in terms of providing a full and accurate reconciliation.

3.7.9. Requirements where shortfalls or discrepancies are detected

(1) Where a Digital Asset Service Provider identifies a discrepancy as a result of carrying out an internal record check or an external custody reconciliation, the Digital Asset Service Provider must:

(a) promptly take all reasonable steps to investigate and resolve the discrepancy;

(b) take appropriate steps for the treatment of any shortfalls until the discrepancy is resolved;

(c) take reasonable steps to avoid a recurrence of any identifiable action which resulted in the discrepancy; and

(d) notify the AFSA where the discrepancy is material or otherwise cannot be promptly resolved.

(2) A discrepancy should not be considered resolved until it is investigated fully and corrected, and any associated shortfall is resolved by the Digital Asset Service Provider ensuring that:

(a) it is holding the correct Digital Assets for each of its Clients; and

(b) its own records, and the records of any relevant Third Party Digital wallet Service Provider, are accurate.

(3) Where a shortfall is detected, until such a shortfall is resolved, the Digital Asset Service Provider must do one of the following:

(a) allocate a specific number of its own applicable Digital Assets to cover the value of the shortfall and hold them in such a way for the relevant Clients so that the proceeds of their liquidation will be available for the benefit of the relevant Clients in the event of the Digital Asset Service Provider’s failure; or

(b) appropriate a sufficient amount of its own money to cover the value of the shortfall and hold it for the relevant Client(s).

(4) The value of any shortfall must be determined by reference to the previous day’s closing mark to market valuation of the relevant Digital Assets, or, if that information is not available in relation to a particular Digital Asset, the most recently available valuation information. If the value of a Digital Asset is volatile or there are any other reasons which make it difficult to value, the Digital Asset Service Provider should consider whether it is appropriate to set aside an additional amount to cover any change in the value of the shortfall.

(5) Until the discrepancy is resolved the Digital Asset Service Provider must consider whether it would be appropriate to notify affected Client(s) of the situation. In considering whether to notify Clients, the Digital Asset Service Provider must act honestly, fairly and professionally and in the best interests of its Client(s).

 

Guidance

(1) A Digital Asset Service Provider should maintain a clear separation of duties to ensure that all Employees with responsibility for operating Client Accounts, or who have authority over Digital Assets held for Clients, should not perform the reconciliations under DAA 3.7.8.

(2) Reconciliations performed in accordance with DAA 3.7.8. must be reviewed by a member of the Digital Asset Service Provider who is a member of the Board.

(3) The individual referred to in (2) must provide a written statement confirming that the reconciliation has been undertaken in accordance with the requirements of DAA 3.7.8 and this Guidance.

(4) A material discrepancy includes discrepancies which have the cumulative effect of being material, such as longstanding discrepancies.