| 1. |
VASPs shall establish and maintain—
|
| |
a. |
an effective risk management function; |
| |
b. |
policies and procedures; and |
| |
c. |
risk measurement and reporting methodologies, |
| |
commensurate with the nature, size, complexity, and risk profile of the VASP in order to identify, measure, quantify, manage and monitor the risks, whether financial, technological or otherwise, to which they are or may be exposed. Such policies and procedures should be followed strictly to ensure that risks are maintained at acceptable and appropriate levels.
|
| 2. |
The risk management function should consist of a sufficient number of suitably qualified and experienced Staff. The head of the risk function of a VASP must have the appropriate qualifications and authority to oversee and monitor the overall risk exposures of the VASP. The CO may also be the head of the risk function. If the head of the risk function is a separate individual from the CO, the head of the risk function must also report directly to the Board of the VASP. |
| 3. |
The Board shall ensure that the risk management policies are subject to ongoing comprehensive review, particularly when there is a material change in the VASP’s business, operations or Senior Management or Staff, or to the market conditions and applicable laws and regulations that may affect the risk exposure of the VASP. |
| 4. |
The head of the risk function of a VASP shall submit risk exposure reports to the Board which identifying and report all actual or potential risks. Such reports must be submitted to the Board at least once every quarter, or more frequently if required for the VASP to address a specific risk which been identified. |
| 5. |
The effectiveness of the risk management policy of each VASP will depend on the types of risks associated with the VASP and its business operations, including the VA Activities it carries out. The key types of risks that must be considered by all VASPs, and reported in the risk exposure reports under Rule I.D.4 of this Compliance and Risk Management Rulebook above to the extent they are applicable, and the mitigating measures which must be adopted for each type of risk include, but are not limited to—
|
| |
a. |
Financial stability risks.
|
| |
|
i. |
Financial soundness: Risks arising when a VASP lacks the necessary capital, liquidity or reserves to run operations [both in the going-concern and wind-down scenario] and meet all commitments to its clients, including but not limited to when a VASP is likely to be unable to comply with any of its Capital and Prudential Requirements in the Company Rulebook. |
| |
|
ii. |
Market risk: Risks arising from the type and nature of market risk undertaken by the VASP [e.g. the nature of market risk exposure of the VASP’s services and VA Activities]. In relation to such risks, VASPs shall adopt mitigating measures including but not limited to—
|
| |
|
|
1. |
regular control techniques to monitor market risks, including conducting regular reviews of financial statements and the value of their Virtual Asset holdings; and |
| |
|
|
2. |
establish and maintain effective risk management measures to quantify the impact of changing market conditions on themselves and their clients. Factors to be considered include—
|
| |
|
|
|
(a) |
unspecified adverse market movements [including but not limited to “flash crashes”, catastrophic risk or tail events], by using an appropriate value-at-risk model or other methodology to estimate potential loss; |
| |
|
|
|
(b) |
individual market factors, to measure the sensitivity of the VASP’s risk exposure to specific market risk factors; and |
| |
|
|
|
(c) |
stress testing, determining the effect of material changes in market conditions [whether or not specific to Virtual Asset markets] on the VASP using quantitative and qualitative variable assumptions.
|
| |
|
iii. |
Credit risks: Risks arising from the type and nature of credit risk undertaken by the VASP [e.g. the nature and level of credit risk exposure of the VASP’s services and VA Activities]. In relation to such risks, VASPs shall adopt mitigating measures, at both an individual account and consolidated account level, including but not limited to—
|
| |
|
|
1. |
establish and maintain an effective credit rating system to evaluate the creditworthiness of their clients and counterparties; |
| |
|
|
2. |
adopt clearly defined objective measures to evaluate potential clients and counterparties and to determine or review the relevant credit ratings which are used to set appropriate credit, trading and position limits for all clients and counterparties, which shall be enforced at all times; |
| |
|
|
3. |
use appropriate quantitative risk measurement methodologies to effectively calculate and monitor the credit exposure of VASP in relation to clients and counterparties, including pre-settlement credit exposures and settlement risks. Credit risks posed by all clients and counterparties belonging to the same group of Entities can be aggregated for the purpose of measuring the credit exposure of the VASP; |
| |
|
|
4. |
if applicable in respect of the VA Activities of the VASP, establish and maintain all policies in respect of margin required under any Rulebook, which notwithstanding all other requirements in those Rulebooks should include—
|
| |
|
|
|
(a) |
the types of margin which may be called, the applicable margin rates and the method of calculating the margin; |
| |
|
|
|
(b) |
the acceptable methods of margin payment and forms of collateral; |
| |
|
|
|
(c) |
the circumstances under which a client or counterparty may be required to provide margin and additional margin, and the consequences of a failure to meet a margin call, including the actions which the VASP may be entitled to take; and |
| |
|
|
|
(d) |
applicable escalation procedures where a client or counterparty fails to meet successive margin calls.
|
| |
|
iv. |
Liquidity risks: Risks arising from the type and nature of the VASP’s liquidity or asset and liability mix. In relation to such risks, VASPs shall adopt mitigating measures including but not limited to—
|
| |
|
|
1. |
enforce concentration limits with respect to particular products, markets and counterparties, taking into account their liquidity profile and the liquidity profile of the VASP; |
| |
|
|
2. |
regularly monitor any maturity mismatch between sources and funding requirements and concentrations of individual Virtual Assets, markets and counterparties; and |
| |
|
|
3. |
establish clear default procedures to alert relevant Staff and Senior Management to potential liquidity problems and to provide such Staff and Senior Management with sufficient time to minimise the impact brought by any client’s or counterparty’s liquidity issues.
|
| |
b. |
Market conduct risks.
|
| |
|
i. |
Business strategy: Risks arising from the overall strategy and current sources of business of the VASP [e.g. strategic planning process and achievability of strategy]. |
| |
|
ii. |
Client onboarding risks: Risks arising from onboarding clients [individuals and corporates]. This refers to the level of client due diligence [CDD] applied, such as sanction screening, risk rating and watchlist screening. |
| |
|
iii. |
Organisation and regulation: Risks arising from the structure of a VASP, the characteristics and nature of responsibilities of UBOs, Board members and Senior Management responsibilities. |
| |
|
iv. |
Operational risks: Risks arising from type and nature of operational risk involved in the VASP’s activities [e.g. direct or indirect loss from inadequate or failed internal processes, systems or external events]. |
| |
|
v. |
Quality of management & corporate governance: Risks arising from the quality of the VASP’s management, the nature of the corporate governance, management information and compliance culture, including but not limited to non-compliance with relevant requirements in the Company Rulebook. |
| |
|
vi. |
Relationship with regulators: Risk arising from the nature of the VASP’s relationship with other regulators, including recent regulatory history. |
| |
|
vii. |
Cybersecurity risks: Risks of exposure or loss from a cyber-attack, data, system or security breach, including any breach of Personal Data security, not limited to non-compliance with relevant requirements in the Technology and Information Rulebook. VASPs must also include all risks relating or the VASP’s reputation in such events.
|
| |
c. |
Compliance and risk management risks.
|
| |
|
i. |
AML/CFT, market abuse & fraud: Risks arising from the VASP’s susceptibility to financial crime risk arising from money laundering, market abuse, terrorism financing, and fraud, including but not limited to non-compliance with relevant requirements in this Compliance and Risk Management Rulebook. |
| |
|
ii. |
Outsourcing & counterparty risks: Risks arising from Outsourcing to third parties, developing relationships or dependencies on counterparties in any transactions, including with any Controlling Entity, Group Entity or UBO. |
| |
|
iii. |
Risk management systems: Risks arising from the nature and effectiveness of the systems and procedures to identify, measure, monitor and control the VASP’s risks [e.g. credit risk, insurance underwriting risk, market risk, operational risk, legal risk and new product risk]. |
| |
|
iv. |
Compliance function and arrangements: Risks arising from the nature and effectiveness of the compliance function of a VASP. These include its mandate, structure, staffing, methodology, reporting lines and effectiveness. |
| |
|
v. |
Business continuity: risks arising from the effectiveness of business continuity arrangements, including but not limited to non-compliance with relevant requirements in this Compliance and Risk Management Rulebook.
|
| |
d. |
Consumer protection risks.
|
| |
|
i. |
Communications with clients & financial promotions: Risks arising from the nature of financial promotion and advertising practices employed by the VASP, including but not limited to non-compliance with relevant requirements in the Market Conduct Rulebook. |
| |
|
ii. |
Legal risks: Risks arising from the nature of the VASP’s contractual agreements. |
| |
|
iii. |
Disclosure and reporting: Risks arising from the nature of terms of business, periodic statements and other documentation provided to clients, including but not limited to non-compliance with relevant requirements in the Market Conduct Rulebook. |
| |
|
iv. |
Client assets: Risk arising from the VASP holding or controlling of Client Money and Client VAs.
|