| 1. | Customer authentication standard: To reduce the risk of any customer account compromises, VASPs are expected to implement robust customer authentication, including but not limited to—
| a. | strong multifactor authentication; | | b. | prohibition of instant messaging verification for high-risk operations; | | c. | risk-based authentication challenges and biometric authentication where appropriate; and | | d. | suspicious login detection and alerting.
|
|
| 2. | Withdrawal control standard: To limit potential losses from compromised accounts through structured withdrawal controls, VASPs are expected to implement comprehensive withdrawal controls, including—
| a. | tiered withdrawal limits; | | b. | cooling periods for large transactions; | | c. | verification for high-value withdrawals outside of prescribed limits and/or ‘bands’; | | d. | verification for critical transactions; | | e. | behavioural analysis to detect anomalous withdrawal patterns; and | | f. | graduated approval requirements based on transaction value.
|
|
| 3. | User education standard: To reduce customer vulnerability to social engineering and other attacks through improved awareness, VASPs are expected to implement comprehensive user education programmes, including but not limited to—
| a. | security best practices; | | b. | common attack vector awareness and secure account management guidance; and | | c. | regular security notifications.
|
|
| 4. | VA Wallet concentration risk standard: To reduce the risk of concentration of Client VAs in a single or small number of VA Wallets, VASPs are expected to implement controls for the safe diversification of Client VAs across VA Wallets, including but not limited to—
| a. | cold storage VA Wallets; | | b. | VARA Licensed VASPs providing Custody Services; and | | c. | physical distribution of servers storing information through which VA Wallets can be accessed and/or controlled.
|
|