| 1. |
Written agreements with clients.
|
| |
a. |
In addition to all applicable requirements in the Market Conduct Rulebook, Client Agreements entered into between VASPs providing Custody Services and clients should include the following—
|
| |
|
i. |
description of the overall custodial framework used by the VASP when providing Custody Services, including but not limited to security, risk mitigation, safeguarding procedures; |
| |
|
ii. |
address what will happen when source code versions underlying a Virtual Asset supported by the VASP materially change in a way that may affect the Custody Services provided [e.g. a “fork” of the network protocol], including but not limited to—
|
| |
|
|
1. |
notification requirements if the VASP will not support the original source code version; |
| |
|
|
2. |
notification requirements if the VASP will support the original source code version; |
| |
|
|
3. |
notification requirements if the original source code version will no longer exist, or is not reasonably expected to continue to exist, or if the original source code version will no longer function securely and/or as originally intended; and |
| |
|
|
4. |
actions that will be taken by the VASP if any/all of the above were to take place;
|
| |
|
iii. |
when and how the Virtual Assets under custody will be returned; |
| |
|
iv. |
settlement finality, including when a Virtual Asset will be deemed fully transferred, and the VASP discharged of any obligations upon transfer of the Virtual Asset [including but not limited to withdrawals initiated by the client]; |
| |
|
v. |
the frequency of account statements to be provided to clients, and the content of those statements; |
| |
|
vi. |
who [e.g. the VASP, its agent or another third party] is responsible for securing the Virtual Assets, and protecting them from theft or loss; |
| |
|
vii. |
the VASP’s Outsourcing practices including, if the VASP Outsources some or all of the Custody Services to third parties, the qualifications of those third parties; |
| |
|
viii. |
the VASP’s cybersecurity and data privacy policies, procedures, controls and systems, including how the VASP will respond to data breaches and cyberattacks, and notification, reimbursement and remediation policies; and |
| |
|
ix. |
the VASP’s policies and procedures for safeguarding access to Virtual Assets, including policies and procedures related to multi-signature/multi-key safeguards, access management controls, and revocation of key signtories’ access.
|
| 2. |
Relationship between a VASP and client, for the provision of Custody Services.
|
| |
a. |
The provision of Custody Services shall be a contractual arrangement between a VASP and a client, under which a client lawfully in control of, or entitled to control, a Virtual Asset, transfers control of the Virtual Asset to a VASP, solely for the purpose of receiving Custody Services, and does not in any way transfer to the VASP, any legal interest in the Virtual Asset, or any discretionary authority not explicitly authorised in the Client Agreement or otherwise agreed to by the client. |
| |
b. |
In addition to all Reserve Assets requirements in the Company Rulebook, VASPs providing Custody Services will keep a register, and record of reconciliation of each client’s positions that correspond to the client’s rights to the Virtual Assets that are subject to the Custody Services.
|
| 3. |
Outsourcing and third-party suppliers.
|
| |
a. |
If a VASP Outsources some or all of the Custody Services to third parties, the VASP is responsible for ensuring that all applicable laws, Regulations, Rules and Directives are complied with. |
| |
b. |
VASPs must have established roles and responsibilities for its Custody Services operations, and its operational risk management. The responsibility for manually executed core functions of Custody Services, should only be performed by authorised employees.
|
| 4. |
Account statements. VASPs providing Custody Services must provide at least every month, and promptly at the request of a client, a statement with all Virtual Asset transactions specific to each client account, the dates and transaction amounts of the corresponding transactions, and balances and value for each type of Virtual Asset. |
| 5. |
Audit. VASPs should maintain a full audit trail of all transaction activities that occur on a client’s account for at least eight [8] years. The audit trail should include specific information regarding each transaction, such as the date and time, the transaction type, the relevant signatories, and the Virtual Assets involved.
|