An Authorised Person conducting a Regulated Activity in relation to Virtual Assets must, as a minimum, have in place systems and controls with respect to the following:
Virtual Asset Wallets
(a) Procedures describing the creation, management and controls of Virtual Asset wallets, including:
(i) wallet setup/configuration/deployment/deletion/backup and recovery;
(ii) wallet access privilege management;
(iii) wallet user management;
(iv) wallet rules and limit determination, review and update; and
(v) wallet audit and oversight.
(b) Procedures describing the creation, management and controls of private keys, including:
(i) private key generation;
(ii) private key exchange;
(iii) private key storage;
(iv) private key backup;
(v) private key destruction; and
(vi) private key access management.
Origin and destination of Virtual Asset funds
(c) Systems and controls to mitigate the risk of misuse of Virtual Assets, setting out how—
(i) the origin of Virtual Assets is determined, in case of an incoming transaction; and
(ii) the destination of Virtual Assets is determined, in case of an outgoing transaction.
(d) A security plan describing the security arrangements relating to:
(i) the privacy of sensitive data;
(ii) networks and systems;
(iii) cloud based services;
(iv) physical facilities; and
(v) documents, and document storage.
(e) A risk management plan containing a detailed analysis of likely risks with both high and low impact, as well as mitigation strategies. The risk management plan must cover, but is not limited to:
(i) operational risks;
(ii) technology risks, including 'hacking' related risks;
(iii) market risk for each Accepted Virtual Asset; and
(iv) risk of Financial Crime.