4.6.1. Systems, controls and procedures

(1)          A Digital Asset Service Provider must ensure that it implements systems and controls necessary to address the risks, including cybersecurity-related risks, to its business. The relevant systems and controls should take into account such factors that include the nature, scale and complexity of the Digital Asset Service Provider’s business, the diversity of its operations, the volume and size of its business and the level of risk inherent in its business.

(2)          A Digital Asset Service Provider must have adequate systems and controls to enable it to calculate and monitor its capital resources and its compliance with the requirements in DAA 4.2. The systems and controls must be in writing and must be appropriate for the nature, scale and complexity of the Digital Asset Service Provider’s business and its risk profile.

(3)          A Digital Asset Service Provider must employ appropriate and proportionate systems, resources, and procedures to ensure the continued and regular performance of its services and activities.

(4)          If the issuer of a Fiat stablecoin or Commodity stablecoin decides to discontinue providing services and activities, such as issuing the Fiat stablecoin or Commodity stablecoin, the issuer of a Fiat stablecoin or Commodity stablecoin must present a plan to the AFSA for such discontinuation, for the AFSA’s approval, and comply with any requirements imposed by the AFSA in relation to such discontinuation.

(5)          Issuer of a Fiat stablecoin or Commodity stablecoin must identify sources of operational risks and minimise those risks through the development of appropriate systems, controls and procedures.

(6)          Issuer of a Fiat stablecoin or Commodity stablecoin must have internal control mechanisms and effective procedures for risk management.

4.6.1.-1. Risk warnings

(1) An Authorised Firm Providing Money Services in relation to Digital Assets and issuing Fiat stablecoins must display prominently on its website the following risk warnings relating to Digital Assets:

(a) except in the case of a Central Bank Digital Currency, Digital Assets are not legal tender or backed by a government;

(b) Digital Assets are subject to extreme volatility, and the value of the Fiat stablecoins can fall quickly (including, in respect of a Fiat stablecoin or Commodity stablecoin, if it loses its stability peg);

(c) that Digital Assets may not always be liquid or transferable;

(d) that Digital Assets can be stolen because of cyberattacks;

(e) that the nature of Digital Assets may lead to an increased risk of Financial Crime;

(f) there are limited or, in some cases, no mechanisms available for the recovery of lost or stolen Digital Assets;

(j) the risks of Digital Assets with regard to anonymity, irreversibility of transactions, accidental transactions, transaction recording, and settlement;

(h) that the nature of Digital Assets means that technological difficulties experienced by an Authorised Firm Providing Money Services in relation to Digital Assets or a Digital Asset Service Provider may prevent access to or use of a Client’s Digital Assets;

(i) that there is no recognised compensation scheme to provide an avenue of redress for aggrieved participants.

(2) Where an Authorised Firm Providing Money Services in relation to Digital Assets presents any marketing or educational materials, or and other communications relating to a Digital Assets, approved in accordance with subrule (1), whether on a website, in the general media or as part of a distribution made to existing or potential new Clients, it must include the risk warning referred to in subrule (1) in a prominent place at or near the top of each page of the materials or communication.

(3) If the materials referred to in (1) is provided on a website or an application that can be downloaded to a mobile device, the warning must be:

(a) statically fixed and visible at the top of the screen, even when a person scrolls up or down the webpage; and

(b) included on each linked webpage on the website.

                               (c) provided before final confirmation of any transaction.

4.6.2. Technology governance and risk assessment framework

(1)       A Digital Asset Service Provider must implement a technology governance and risk assessment framework which must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent in their business model. 

(2)          The technology governance and risk assessment framework must apply to all technologies relevant to a Digital Asset Service Provider’s business and clearly set out the Digital Asset Service Provider’s cybersecurity objectives.

(3)          A Digital Asset Service Provider must ensure that its technology governance and risk assessment framework is capable of determining the necessary processes and controls that it must implement in order to adequately mitigate any risks identified.

(4)          A Digital Asset Service Provider must ensure that its technology governance and risk assessment framework addresses appropriate governance policies and system development controls, such as a development, maintenance and testing process for technology systems and operations controls, back-up controls, capacity and performance planning and availability testing.

4.6.3. Cyber-security matters

A Digital Asset Service Provider must take reasonable steps to ensure that its IT systems are reliable and adequately protected from external attack or incident.

4.6.4. Cyber-security policy

(1)        A Digital Asset Service Provider must create and implement a policy which outlines their procedures for the protection of its electronic systems.

(2)          A Digital Asset Service Provider must ensure that its cyber-security policy is reviewed at least annually by its Chief Information Technology Officer.

(3)          The cyber-security policy must, as a minimum, address the following areas:

(a)            information security;

(b)            data governance and classification;

(с)             access controls;

(d)            capacity and performance planning;

(e)            systems operations and availability concerns;

(f)             systems and network security, consensus protocol methodology, code and smart contract validation and audit processes;

(g)            systems and application development and quality assurance;

(h)            physical security and environmental controls, including procedures around access to premises and systems;

(i)              customer data privacy;

(j)              procedures regarding the facilitation of Digital Asset transactions initiated by a Client including considering multi-factor authentication or any better standard for Digital Asset transactions that—

(i)              exceed transaction limits set by the Client, such as accumulative transaction limits over a period of time; and

(ii)             are initiated after a change of personal details by the Client, such as the address of a Digital wallet;

(k)             procedures regarding Client authentication and session controls including the maximum incorrect attempts for entering a password, appropriate time-out controls and password validity periods;

(l)              procedures establishing adequate authentication checks when a change to a Client’s account information or contact details is requested;

(m)           vendor and third-party service provider management;

(n)            monitoring and implementing changes to core protocols not directly controlled by the Digital Asset Service Provider;

(o)            incident response, including root cause analysis and rectification activities to prevent reoccurrence;

(p)            governance framework and escalation procedures for effective decision-making and proper management and control of risks and emergency incidents, including responses to ransomware and other forms of cyberattacks; and

(q)            hardware and infrastructure standards, including network lockdown, services/desktop security and firewall standards.