Skip to main content
  • Part III – VA Storage and Custody Rules

    • A. General Requirements

      1. VASPs that provide Custody Services must comply with the provisions in this Part III of this Custody Services Rulebook.
      2. To the extent any provisions are inconsistent with the Client VA Rules in the Compliance and Risk Management Rulebook, this Part III of this Custody Services Rulebook shall have precedence.
      3. VASPs must ensure that all Custody Services are only provided in accordance with verified client instructions.
       
    • B. Segregation and Control

      1. Virtual Assets held by a VASP providing Custody Services are not depository liabilities or assets of the VASP.
      2. VASPs shall not authorise or permit rehypothecation of Virtual Assets for which they provide Custody Services [regardless of whether they have obtained a client’s consent], and VASPs providing Custody Services shall not seek or attempt to obtain such consent as part of the Custody Services they provide.
      3. VASPs providing Custody Services shall segregate the Virtual Assets of each client in separate VA Wallets containing the Virtual Assets of that client only.
      4. VASPs must maintain control of each Virtual Asset at all times while providing Custody Services.
      5. VASPs providing Custody Services must be a separate legal Entity from any member of their Group that provides services relating to VA Activities other than Custody Services, and must implement and strictly enforce policies and procedures to achieve necessary segregation between operations relating to Custody Services, and all other businesses.
      6. VASPs must have adequate policies and procedures to ensure that there is sufficient operational and physical segregation between individuals handling operations for Custody Services, and their other core businesses and operations including, but not limited to, other VA Activities conducted by their Group. Such policies and procedures shall establish a separate team to handle the VASP’s Custody Services only, consisting of individuals who have no conflicting duties or access to information which may give rise to any conflicts of interest.
       
    • C. VA Wallet Management

      1. Hot and cold Virtual Asset storage.
       
        a. VASPs providing Custody Services shall at all times maintain appropriate certifications as may be required under industry best practices applicable to the safekeeping of Virtual Assets.
        b. VASPs providing Custody Services should conduct a risk-based analysis to determine the method of Virtual Asset storage including different types of VA Wallets [e.g. hot versus cold storage].
        c. VASPs providing Custody Services should document in detail, the methodologies and behaviour determining the transfer of Virtual Assets between different types of VA Wallets [e.g. hot, cold and warm wallets]. The mechanisms for transfer between different types of VA Wallets should be well documented, and subject to internal controls and audits performed by an independent third-party auditor, ensuring compliance with Rule ‎III.C.1.a of this Custody Services Rulebook.
       
      2. Seed or key generation, storage, and use.
       
        a. When creating any seed, asymmetric private and public key combinations, or other similar mechanisms required for providing Custody Services, VASPs shall use industry best standards to create the seed, asymmetric private and public key combinations, or other similar mechanisms to ensure a secure generation mechanism. In addition, all VASPs providing Custody Services shall consider all risks associated with producing a private key or seed for a signatory including whether the signatory should be involved in the generation process or whether creators of the seed, private key, or other similar mechanism should be prohibited from cryptographically signing any transaction or from having access to any relevant systems.
        b. VASPs providing Custody Services shall adopt industry best practices when using encryption, and secure device storage for a client’s private keys when not in use. VASPs must ensure that any keys stored online or in one physical location are not capable of conducting a Virtual Asset transaction, unless appropriate controls are in place to ensure that physical access itself by an individual is insufficient to conduct a transaction.
        c. All key and seed backups must be stored in a separate location from the primary key and seed. Key and seed backups must be stored with encryption at least equal to the encryption used to protect the primary seed and key. If VASPs use mnemonic back-up seed phrases, it should ensure that the mnemonic back-up seed phrase is broken into at least two [2] parts. Any backups that when combined could facilitate a transaction, must not be stored in a single point of access.
        d. VASPs providing Custody Services should consider using multi-signature approaches where appropriate. VARA reserves the right to require VASPs to use multi-signature approaches in specific situations, including for specific types of Virtual Assets. If a VASP has multi-signature arrangements that vary depending on the risk of the transaction, the VASP must have well-documented and audited procedures.
        e. VASPs providing Custody Services must mitigate the risk of collusion between all authorised parties or signatories who are able to authorise the movement, transfer or withdrawal of Virtual Assets held under custody on behalf of clients. The risk of collusion and other internal points of failure should be evaluated for materiality and probability, and effectively addressed during recurring operational risk assessments.
       
      3. Lost or stolen keys.
       
        a. VASPs providing Custody Services shall establish, and maintain effective policies and procedures in the event that any seed or cryptographic keys of any VA Wallet are lost or otherwise compromised. Such policies and procedures shall address matters including but not limited to—
       
          i. recovery of affected Virtual Assets;
          ii. timely communications with all clients and counterparties regarding consequences arising from relevant incidents, and measures being taken to remedy such consequences;
          iii. cooperation with law enforcement agencies and regulatory bodies; and
          iv. if applicable, preparation of wind-down arrangements and public disclosure of such arrangements.
       
    • D. Additional Obligations

      1. Written agreements with clients.
       
        a. In addition to all applicable requirements in the Market Conduct Rulebook, Client Agreements entered into between VASPs providing Custody Services and clients should include the following—
       
          i. description of the overall custodial framework used by the VASP when providing Custody Services, including but not limited to security, risk mitigation, safeguarding procedures;
          ii. address what will happen when source code versions underlying a Virtual Asset supported by the VASP materially change in a way that may affect the Custody Services provided [e.g. a “fork” of the network protocol], including but not limited to—
       
            1. notification requirements if the VASP will not support the original source code version;
            2. notification requirements if the VASP will support the original source code version;
            3. notification requirements if the original source code version will no longer exist, or is not reasonably expected to continue to exist, or if the original source code version will no longer function securely and/or as originally intended; and
            4. actions that will be taken by the VASP if any/all of the above were to take place;
       
          iii. when and how the Virtual Assets under custody will be returned;
          iv. settlement finality, including when a Virtual Asset will be deemed fully transferred, and the VASP discharged of any obligations upon transfer of the Virtual Asset [including but not limited to withdrawals initiated by the client];
          v. the frequency of account statements to be provided to clients, and the content of those statements;
          vi. who [e.g. the VASP, its agent or another third party] is responsible for securing the Virtual Assets, and protecting them from theft or loss;
          vii. the VASP’s Outsourcing practices including, if the VASP Outsources some or all of the Custody Services to third parties, the qualifications of those third parties;
          viii. the VASP’s cybersecurity and data privacy policies, procedures, controls and systems, including how the VASP will respond to data breaches and cyberattacks, and notification, reimbursement and remediation policies; and
          ix. the VASP’s policies and procedures for safeguarding access to Virtual Assets, including policies and procedures related to multi-signature/multi-key safeguards, access management controls, and revocation of key signtories’ access.
       
      2. Relationship between a VASP and client, for the provision of Custody Services.
       
        a. The provision of Custody Services shall be a contractual arrangement between a VASP and a client, under which a client lawfully in control of, or entitled to control, a Virtual Asset, transfers control of the Virtual Asset to a VASP, solely for the purpose of receiving Custody Services, and does not in any way transfer to the VASP, any legal interest in the Virtual Asset, or any discretionary authority not explicitly authorised in the Client Agreement or otherwise agreed to by the client.
        b. In addition to all Reserve Assets requirements in the Company Rulebook, VASPs providing Custody Services will keep a register, and record of reconciliation of each client’s positions that correspond to the client’s rights to the Virtual Assets that are subject to the Custody Services.
       
      3. Outsourcing and third-party suppliers.
       
        a. If a VASP Outsources some or all of the Custody Services to third parties, the VASP is responsible for ensuring that all applicable laws, Regulations, Rules and Directives are complied with.
        b. VASPs must have established roles and responsibilities for its Custody Services operations, and its operational risk management. The responsibility for manually executed core functions of Custody Services, should only be performed by authorised employees.
       
      4. Account statements. VASPs providing Custody Services must provide at least every month, and promptly at the request of a client, a statement with all Virtual Asset transactions specific to each client account, the dates and transaction amounts of the corresponding transactions, and balances and value for each type of Virtual Asset.
      5. Audit. VASPs should maintain a full audit trail of all transaction activities that occur on a client’s account for at least eight [8] years. The audit trail should include specific information regarding each transaction, such as the date and time, the transaction type, the relevant signatories, and the Virtual Assets involved.