| 1. | Transaction monitoring standard: To enable early detection of fraudulent activities, VASPs are expected to implement comprehensive transaction monitoring, including but not limited to—
| a. | behavioural analysis to detect anomalous patterns, and rule-based monitoring for known suspicious activities; | | b. | machine learning capabilities for advanced threat detection; | | c. | real-time alerting for Suspicious Transactions; and | | d. | regular review and refinement of detection methodologies.
|
|
| 2. | Internal user activity monitoring standard: To enhance the ability to identify compromised accounts or insider threats early, VASPs are expected to implement monitoring of internal user activities, including but not limited to—
| a. | authentication attempts and failures and pattern analysis to detect insider threats; | | b. | access to sensitive or critical systems and administrative activities; and | | c. | segregation of monitoring from operational teams.
|
|
| 3. | Enhanced monitoring standard: To provide visibility into activities on critical systems, enabling early detection of any compromises, VASPs are expected to implement enhanced monitoring of developer and signing systems, including but not limited to—
| a. | process creation and termination monitoring; | | b. | network connection analysis and file system change detection; | | c. | software installation and execution control; and | | d. | user behaviour analytics.
|
|
| 4. | Tactical hardening standard: To enable organisations to limit attacker access once a compromise is detected, VASPs are expected to maintain capability to rapidly implement tactical hardening measures, including but not limited to—
| a. | emergency access revocation, including individual end-points; | | b. | network segmentation capabilities and system isolation procedures; | | c. | pre-approved emergency change procedures; and | | d. | regular testing of hardening capabilities.
|
|
| 5. | Investigation capability standard: To enhance the ability to identify attack vectors and compromised assets during incidents, VASPs are expected to maintain comprehensive investigation capabilities, including but not limited to—
| a. | dedicated forensic resources (internal or contracted) deployable and responsive in real-time and/or on immediate notice; | | b. | secure evidence collection and handling procedures; | | c. | chain of custody documentation; | | d. | root cause analysis methodologies; and | | e. | regular training and capability testing.
|
|
| 6. | On-chain analysis standard: To improve the ability to trace stolen funds and identify potential recovery opportunities, VASPs are expected to develop and maintain on-chain analysis capabilities, including but not limited to—
| a. | transaction tracing tools and wallet attribution capabilities; | | b. | collaboration with other VASPs for fund tracing; and | | c. | regular training and capability development.
|
|
| 7. | Remediation standard: To reduce the risk of re-exploitation, VASPs are expected to implement comprehensive remediation procedures, including but not limited to—
| a. | complete rotation of all secret components (including but not limited to passwords, keys and key shards) after incidents; | | b. | system rebuilding from secure baselines and enhanced monitoring post-incident; | | c. | formal verification of attacker removal; and | | d. | post-incident review and lessons learned.
|
|