If you are not tech ready or intend to outsource everything, please read this first.
by Edmund Yong
[Back to Part 3]
In our concluding article, we shall bring emphasis to the technological and operational aspects of the digital asset custody (DAC) business. This is imperative for successful applications. Although the DAC section in the Guidelines of Digital Assets (GoDA) by Securities Commission (SC) is barely 20 pages long, the ambit is very wide.
While we have seen how SC employs a “right touch” approach to its Recognised Market Operator (RMO) regime, often expecting operators to “comply or explain”, the DAC is unique in the sense that there are known technical standards on the wallet side and fiduciary governance rules on the trust side. So, DAC applicants hoping to waltz into SC with the justification that this is a new tech innovation (so rules don’t apply to them) will be unpleasantly mortified.
Technology is integral to the custody business
For insight into what regulators generally look for, one exemplar is Germany’s central bank BaFIN which rolled out its Guidelines on Application for Authorisation of Crypto Custody Business back in January 2020 and was one of the pioneers to draft bespoke regulations for DAC .
Section 3 states: “Due to the technical focus of their business activity, in particular information must be provided regarding their IT strategy and IT security.” This is expounded in 3(a): “Adequate IT security is an integral part of a proper business organization (of crypto custody) … In particular, BaFin expects information concerning the specific characteristics of the IT systems as well as the IT processes implemented (underline added).”
This comparison will hopefully give you some useful colour for your DAC application. If you intend to outsource, then your outsourcing provider should standby the following on your behalf.
Management must be more than ‘fit and proper’!
Under GoDA in Malaysia, the DAC applicant has to ensure that its key personnel are fit and proper and “suitably qualified” (Para 26.01). In particular, the latter phrase may sound rather innocuous but belies a very substantive portfolio. Their obligations, as seen in the left column, requires a lot of technical heft. Therefore, it is unlikely for someone without the suitable technical and practical qualifications to be able to handle them, even though he or she may be ‘fit and proper’.
Insurance could be the hidden game changer
Despite initial qualms that there is no available coverage in this market (and rubbing salt on this, foreign DACs often impose stiff criteria on local DAXes for insurance eligibility), things are moving more favourably in Malaysia. We previously ran a two-part article on crypto insurance, covering the probable cost exposures of a security event, including first-party and third-party losses, and how the crypto industry is trying to insure itself such as with a captive insurance approach.
From the insurer’s point of view, there are challenges to underwrite this, given the diversity of threats, small size of the local market, potential accumulation risks, so forth. And to be fair, DAC policyholders must have minimum level of security measures and pass relevant exams like SOC1 and SOC2 (System & Organisation Controls). Many countries set their own security audits and standards e.g., NIST in US (SP 800-53), ENISA in Europe, BSI in Germany (IT-Grundschutz), KISA in South Korea; so local regulators should consider prescribing their own.
As we can see with cybersecurity insurance, it is a dynamic and evolving area, and nobody knows what the product types will look like in a few years’ time. But it is here to stay for good. Similarly, crypto insurance will lay the bedrock of trust for the industry. It will a lot more than just help DACs bounce back from crises – and will boost long-term investor confidence as well.
All the best for your DAC application!
For feedback, enquiries or assistance, please write to edmund@celebrusadvisory.