Entire Act

4.6. Technology governance, controls and security

4.6.1. Systems, controls and procedures

(1) A Digital Asset Service Provider must ensure that it implements systems and controls necessary to address the risks, including cybersecurity-related risks, to its business. The relevant systems and controls should take into account such factors that include the nature, scale and complexity of the Digital Asset Service Provider’s business, the diversity of its operations, the volume and size of its business and the level of risk inherent in its business.

(2) A Digital Asset Service Provider must have adequate systems and controls to enable it to calculate and monitor its capital resources and its compliance with the requirements in DAA 4.2. The systems and controls must be in writing and must be appropriate for the nature, scale and complexity of the Digital Asset Service Provider’s business and its risk profile.

(3) A Digital Asset Service Provider must employ appropriate and proportionate systems, resources, and procedures to ensure the continued and regular performance of its services and activities.

(4) If the issuer of a Fiat stablecoin or Commodity Stablecoin decides to discontinue providing services and activities, such as issuing the Fiat stablecoin or Commodity Stablecoin, the issuer of a Fiat stablecoin or Commodity Stablecoin must present a plan to the AFSA for such discontinuation, for the AFSA’s approval, and comply with any requirements imposed by the AFSA in relation to such discontinuation.

(5) Issuer of a Fiat stablecoin must identify sources of operational risks and minimise those risks through the development of appropriate systems, controls and procedures.

(6) Issuer of a Fiat stablecoin must have internal control mechanisms and effective procedures for risk management.

4.6.2. Technology governance and risk assessment framework

(1) A Digital Asset Service Provider must implement a technology governance and risk assessment framework which must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent in their business model.

(2) The technology governance and risk assessment framework must apply to all technologies relevant to a Digital Asset Service Provider’s business and clearly set out the Digital Asset Service Provider’s cybersecurity objectives.

(3) A Digital Asset Service Provider must ensure that its technology governance and risk assessment framework is capable of determining the necessary processes and controls that it must implement in order to adequately mitigate any risks identified.

(4) A Digital Asset Service Provider must ensure that its technology governance and risk assessment framework addresses appropriate governance policies and system development controls, such as a development, maintenance and testing process for technology systems and operations controls, back-up controls, capacity and performance planning and availability testing.

4.6.3. Cyber-security matters

A Digital Asset Service Provider must take reasonable steps to ensure that its IT systems are reliable and adequately protected from external attack or incident.

4.6.4. Cyber-security policy

(1) A Digital Asset Service Provider must create and implement a policy which outlines their procedures for the protection of its electronic systems.

(2) A Digital Asset Service Provider must ensure that its cyber-security policy is reviewed at least annually by its Chief Information Technology Officer.

(3) The cyber-security policy must, as a minimum, address the following areas:

(a) information security;

(b) data governance and classification;

(с) access controls;

(d) capacity and performance planning;

(e) systems operations and availability concerns;

(f) systems and network security, consensus protocol methodology, code and smart contract validation and audit processes;

(g) systems and application development and quality assurance;

(h) physical security and environmental controls, including procedures around access to premises and systems;

(i) customer data privacy;

(j) procedures regarding the facilitation of Digital Asset transactions initiated by a Client including considering multi-factor authentication or any better standard for Digital Asset transactions that—

(i) exceed transaction limits set by the Client, such as accumulative transaction limits over a period of time; and

(ii) are initiated after a change of personal details by the Client, such as the address of a Digital wallet;

(k) procedures regarding Client authentication and session controls including the maximum incorrect attempts for entering a password, appropriate time-out controls and password validity periods;

(l) procedures establishing adequate authentication checks when a change to a Client’s account information or contact details is requested;

(m) vendor and third-party service provider management;

(n) monitoring and implementing changes to core protocols not directly controlled by the Digital Asset Service Provider;

(o) incident response, including root cause analysis and rectification activities to prevent reoccurrence;

(p) governance framework and escalation procedures for effective decision-making and proper management and control of risks and emergency incidents, including responses to ransomware and other forms of cyberattacks; and

(q) hardware and infrastructure standards, including network lockdown, services/desktop security and firewall standards.