| 1. |
VASPs must ensure that their technology governance and risk assessment framework addresses, to the extent necessary, the generation of cryptographic keys and VA Wallets, the signing and approval of transactions, the storage of cryptographic keys and seed phrases, VA Wallet creation and management thereof. |
| 2. |
VASPs must—
|
| |
a. |
safeguard access to Virtual Assets in accordance with industry best practices and, in particular, ensure that there is no single point of failure in the VASP’s access to, or knowledge of, Virtual Assets held by the VASP; |
| |
b. |
adopt industry best practices for storing the private keys of clients, including ensuring that keys stored online or in any one physical location are insufficient to conduct a Virtual Asset transaction, unless appropriate controls are in place to render physical access insufficient to conduct such Virtual Asset transaction. VASPs must further ensure that backups of the key and seed phrases are stored in a separate location from the primary key and/or seed phrase; |
| |
c. |
adopt strict access management controls to manage access to keys, including an audit log detailing each change of access to keys. In particular, if Staff with access to a key [including a multi-signature arrangement key] leaves the employment of that VASP, the VASP must conduct an assessment to determine whether a new key must be generated; |
| |
d. |
adopt procedures designed to immediately revoke a key signatory’s access. In particular, a VASP must—
|
| |
|
i. |
ensure that the key generation process ensures that revoked signatories do not have access to the backup seed phrase or knowledge of the phrase used in the key’s creation; |
| |
|
ii. |
perform internal audits on a quarterly basis concerning the removal of user access by reviewing access logs and verifying access as appropriate; |
| |
|
iii. |
implement and maintain a procedure for documenting the onboarding and offboarding of Staff; |
| |
|
iv. |
implement and maintain a procedure for documenting a VASP’s permission to grant or revoke access to each role in its key management system; and
|
| |
e. |
regularly assess the security of their information technology systems or software integrations with external parties and ensure that the appropriate safeguards are implemented in order to mitigate all relevant risks.
|
| 3. |
VASPs should provide information to clients on measures they can take to protect their keys and/or seed phrases from misuse or unauthorised access, and the consequences of sharing their private keys and other security information. |
| 4. |
VASPs must ensure that access to their systems and data may only be granted to individuals with a demonstrable business need and implement safeguards to ensure the proper identification of all individuals, including the maintenance of an access log.
|