C. VA Wallet Management
Effective from Feb 07 2023 - Aug 23 2023
To view other versions open the versions tab on the right
1. | Hot and cold Virtual Asset storage. |
|||||
a. | VASPs providing Custody Services shall at all times maintain appropriate certifications as may be required under industry best practices applicable to the safekeeping of Virtual Assets. | |||||
b. | VASPs providing Custody Services should conduct a risk-based analysis to determine the method of Virtual Asset storage including different types of VA Wallets [e.g. hot versus cold storage]. | |||||
c. | VASPs providing Custody Services should document in detail the methodologies and behaviour determining the transfer of Virtual Assets between different types of VA Wallets [e.g. hot, cold and warm wallets]. The mechanisms for transfer between different types of VA Wallets should be well documented and subject to internal controls and audits performed by an independent third-party auditor in ensuring compliance with Rule III.C.1.a of this Custody Services Rulebook. |
|||||
2. | Seed or key generation, storage, and use. |
|||||
a. | When creating any seed, asymmetric private and public key combinations, or other similar mechanisms required for providing Custody Services, VASPs shall use industry best standards to create the seed, asymmetric private and public key combinations, or other similar mechanisms to ensure a secure generation mechanism. In addition, all VASPs providing Custody Services shall consider all risks associated with producing a private key or seed for a signatory including whether the signatory should be involved in the generation process or whether creators of the seed, private key, or other similar mechanism should be prohibited from cryptographically signing any transaction or from having access to any relevant systems. | |||||
b. | VASPs providing Custody Services shall adopt industry best practices when using encryption and secure device storage for a client’s private keys when not in use. VASPs must ensure that any keys stored online or in one physical location are not capable of conducting a Virtual Asset transaction, unless appropriate controls are in place to ensure that physical access itself by an individual is insufficient to conduct a transaction. | |||||
c. | All key and seed backups must be stored in a separate location from the primary key and seed. Key and seed backups must be stored with encryption at least equal to the encryption used to protect the primary seed and key. If VASPs use mnemonic back-up seed phrases, it should ensure that the mnemonic back-up seed phrase is broken into at least two [2] parts. Any backups that when combined could facilitate a transaction must not be stored in a single point of access. | |||||
d. | VASPs providing Custody Services should consider using multi-signature approaches where appropriate. VARA reserves the right to require VASPs to use multi-signature approaches in specific situations, including for specific types of Virtual Assets. If a VASP has multi-signature arrangements that vary depending on the risk of the transaction, the VASP must have well-documented and audited procedures. | |||||
e. | VASPs providing Custody Services must mitigate the risk of collusion between all authorised parties or signatories who are able to authorise the movement, transfer or withdrawal of Virtual Assets held under custody on behalf of clients. The risk of collusion and other internal points of failure should be addressed during recurring operational risk assessments. |
|||||
3. | Lost or stolen keys. |
|||||
a. | VASPs providing Custody Services shall establish and maintain effective policies and procedures in the event that any seed or cryptographic keys of any VA Wallet are lost or otherwise compromised. Such policy and procedures shall address matters including but not limited to— |
|||||
i. | recovery of affected Virtual Assets; | |||||
ii. | timely communications with all clients and counterparties regarding consequences arising from relevant incidents and measures being taken to remedy such consequences; | |||||
iii. | cooperation with law enforcement agencies and regulatory bodies; and | |||||
iv. | if applicable, preparation of winding down arrangements and public disclosure of such arrangements. |