| 1. | Key generation standard: To reduce the risk of weak or predictable keys that could be exploited by attackers, VASPs are expected to generate cryptographic keys using industry-approved methods with sufficient entropy, including but not limited to—
| a. | hardware security modules (“HSMs”) for key generation, where possible; | | b. | formal validation of key generation routines; | | c. | best in class security processes for all cryptographic keys, including minimum standards for encryption; | | d. | separation of duties during key generation; and | | e. | comprehensive audit logging of all generation activities.
|
|
| 2. | Wallet creation standard: To ensure that wallets are created in a controlled, secure environment with appropriate oversight, VASPs are expected to implement a secure wallet creation process that includes, but is not limited to—
| a. | formal wallet creation procedures with separation of duties; | | b. | multiple levels of approval for new wallet creation; | | c. | tamper-evident processes for all creation activities; | | d. | comprehensive logging and monitoring of wallet creation; and | | e. | physical security controls for creation environments.
|
|
| 3. | Key storage security standard: To reduce the risk of key compromise, which is the most direct path to asset theft, VASPs are expected to store cryptographic keys using defence-in-depth approaches, including but not limited to—
| a. | HSMs for critical key storage; | | b. | appropriate separation of key components for keys-at-rest including both physical decentralisation and encryption/cryptographic methods; | | c. | restricted physical and logical access to key storage mechanisms; and | | d. | regular testing of key backup and recovery procedures.
|
|
| 4. | Smart contract security standard: To reduce the risk of vulnerabilities in smart contract code that could be exploited to manipulate transactions or extract funds, VASPs are expected to implement formal smart contract review and testing processes, including but not limited to—
| a. | static and dynamic code analysis; | | b. | independent third-party audits before deployment and formal verification where applicable; | | c. | comprehensive penetration testing; and | | d. | regular re-assessment of deployed contracts.
|
|
| 5. | Multi-signature security standard: To eliminate single points of failure in wallet security and ensure resilience against compromise of individual signers, VASPs are expected to implement robust multi-signature requirements, including—
| a. | minimum multi-signatures for high-value operations, where the minimum number of signers (M) is greater than the total number of signatories (N) divided by two (2) (i.e. M > N/2); | | b. | geographic distribution of signing authorities; | | c. | diverse authorisation mechanisms and separation of duties between signers; and | | d. | regular testing of signature processes.
|
|
| 6. | Transaction verification standard: To reduce the risk of authorising fraudulent transactions, VASPs are expected to implement comprehensive transaction verification processes, including but not limited to—
| a. | mandatory multi-level verification; | | b. | automated detection of anomalous transactions in real-time triggering immediate notifications; | | c. | clear procedures for signers to verify and validate transactions; | | d. | formal process for addressing verification anomalies; and | | e. | immediate halting of the signing process when errors are reported.
|
|
| 7. | Key compromise response standard: To ensure organisations can respond effectively to suspected or confirmed key compromises and to limit potential damage, VASPs are expected to develop and maintain a formal key compromise response plan that includes, but is not limited to—
| a. | clear triggers for activation, with pre-authorised emergency response procedures and formal communication protocols; | | b. | rapid key rotation capabilities; and | | c. | regular testing and simulation.
|
|
| 8. | Key holder management standard: To reduce the risk of unauthorised access to cryptographic keys through proper lifecycle management of key holders, VASPs are expected to implement comprehensive key holder management processes, including but not limited to—
| a. | just-in-time access provisioning; | | b. | regular access reviews and immediate revocation processes; | | c. | segregation of duties; and | | d. | secure backup key holder procedures.
|
|
| 9. | Authentication control standard: To reduce the risk of unauthorised access through comprehensive authentication requirements, VASPs are expected to implement strong authentication controls, including but not limited to—
| a. | multi-factor authentication for all access to systems with cryptographic keys; | | b. | hardware-based authentication for critical operations, with biometric verification where appropriate; | | c. | time-based restrictions on authentication attempts; and | | d. | continuous validation of session authenticity.
|
|
| 10. | Developer workstations standard: To address a common initial access vector for attackers by securing the development environment, VASPs are expected to implement strict controls for developer workstations, including but not limited to—
| a. | endpoint protection and monitoring; | | b. | network segmentation; | | c. | prohibition of direct production access; | | d. | secure secret management solutions; and | | e. | regular security assessments.
|
|
| 11. | Security testing standard: To ensure ongoing identification and remediation of vulnerabilities before they can be exploited, VASPs are expected to conduct appropriate security tests regularly, and in all events prior to any update to a production system. Such security test should include, but not be limited to—
| a. | annual penetration testing by qualified third parties; | | b. | quarterly vulnerability assessments; | | c. | continuous automated security scanning; | | d. | regular best practice security exercises for high-value systems; and | | e. | formal remediation tracking for identified vulnerabilities.
|
|
| 12. | Unauthorised recovery standard: To reduce the risk of unauthorised recovery of cryptographic keys from disposed media, VASPs are expected to implement comprehensive data sanitisation policies and procedures that ensure—
| a. | secure disposal of all media containing sensitive information; | | b. | cryptographic erasure or physical destruction of media containing cryptographic keys; | | c. | formal chain of custody documentation for media disposal; | | d. | regular assessment of sanitisation effectiveness; and | | e. | secure decommissioning procedures for all systems.
|
|
| 13. | Audit logging standard: To enhance visibility into system activities and support effective investigation of security incidents, VASPs are expected to implement comprehensive monitoring and logging systems that—
| a. | capture all security-relevant events and store logs securely with tamper-evidence, maintaining logs for a minimum of one year; | | b. | include all wallet and key operations; and | | c. | implement real-time alerting for security events.
|
|