DLT Provider Custody Thematic Review

DLT Provider Custody Thematic Review

Findings, observations and expectations relating to custody arrangements of fiat and virtual assets

April 2024

Introduction

Thematic reviews form an integral part of the Gibraltar Financial Services Commission’s (“GFSC”) supervisory and risk management approach, and aid in the delivery of our regulatory objectives. We use thematic reviews as a regulatory tool in supervising regulated entities and assessing current or emerging risks or issues that affect, or could affect, a number of entities or sectors.

As the regulator of the Distributed Ledger Technology (DLT) sector, the central area of focus for us is how regulated firms use DLT to store or transmit value belonging to others. Undertaking a thematic review to assess regulated firms’ custody arrangements allows us to better understand current and emerging threats and vulnerabilities within the DLT industry. The primary focus of this thematic review was to assess, in particular, DLT Providers’ safeguarding, segregation, record-keeping and reporting arrangements, and their allocation of management responsibility in relation to the custody of client assets and money.

This report sets out a summary of our findings, and how we propose that firms should address and manage the risks posed to customers and Gibraltar by the DLT industry, with a view to further mitigating these risks in the future.

Why select the Distributed Ledger Technology Sector?

The GFSC took into account the following factors when determining that it was necessary to carry out a thematic review of the custody arrangements within the DLT sector:

• The thematic review would enable the GFSC to identify any risks or trends and revise its supervisory approach, if necessary;

• Various risks were identified within the sector as a result of the international adverse market events of 2022; and

• The sector had not previously been subject to a dedicated custody thematic review.

What we did

All firms in the sector were assessed as part of the thematic review.

As such, the GFSC’s DLT Team (the “Team”) completed 10 onsite inspections between March and July 2023 This included desk-based reviews of the documentation submitted prior to the onsite inspections

Both review methods allowed the Team to understand and assess firms’ policies, processes and procedures relating to the protection of customer assets, and to subsequently verify how these are applied in practice. The thematic review has given the GFSC an insight into firms’ understanding of the regulatory standards expected from them, and the potential risks to firms and the jurisdiction that arise from the use of ineffective arrangements for the protection of client assets and money

Expectations

The DLT Regulatory Framework is designed to encourage innovation while simultaneously upholding high regulatory standards and helping the GFSC meet its broader strategic objectives The Framework is underpinned by ten Regulatory Principles, which are contained in the Financial Services (Distributed Ledger Technology Providers) Regulations 2020 (“DLT Regulations”) Principle 5 within the DLT Regulations states that “[a] DLT Provider must have effective arrangements in place for the protection of client assets and money when it is responsible for them”. The corresponding Guidance Note provides guidance as to the operational, technical and organisational standards that are expected, and in some circumstances, required by the GFSC in order to comply with this Principle

A DLT Provider is expected to:

• Put in place appropriate policies, processes and procedures to protect customer assets.

• Take all reasonable precautions to protect customer assets and money in its custody and control against any potential threats.

• Segregate custodial assets and money from its own assets and money

• Ensure fiat customer balances are protected, sufficiently liquid, and clearly segregated as customer money with a regulated credit, e-money or payment institution, acceptable to the GFSC.

• Have appropriate systems of control to manage customer assets. These systems should be proportionate to the size of the business, the assets in custody and the risks involved in that business.

• Implement an appropriate contractual relationship with its customers that reflects the products and services provided by the DLT Provider

• Obtain formal acknowledgement that all fiat and virtual assets held by the custodian are held in trust and that the custodian is not entitled to combine the amounts with any others or to exercise any right of set-off or counterclaim against such assets in respect of any debt owed to the custodian by the DLT Provider.

• Segregate virtual assets belonging to different customers using different private keys unless it is confident that its processes and controls are sufficiently robust. A DLT Provider must adequately identify the customer(s) to which the private keys relate.

• Reconcile customer virtual assets and its own assets as a minimum once a day, and customer fiat assets at least on a monthly basis.

• Fully investigate and reconcile any differences.

• Cover any unidentified differences leading to a lower amount of virtual asset balances on the underlying distributed ledger when compared to the internal records, until these are investigated and cleared.

• Store and secure private keys relating to value stored on behalf of customers in a manner that minimises the risk of loss or theft.

• Maintain the highest and most relevant industry standards with respect to security and management of private keys.

• Adopt best practices and ensure that potential threats or vulnerabilities are mitigated.

Our findings

The vast majority of firms had adequate policies and procedures in place relative to their size and the nature, scale and complexity of their activities There were, however, differences in how these policies and procedures were applied in practice, and varying degrees of effectiveness in their implementation. The key findings arising from the thematic review were that there were several areas that require improvement within the sector, including customer asset management, the safeguarding and segregation of assets, the frequency of asset reconciliation and the management of private keys. These are all essential components for complying with the DLT Regulatory Framework. In some cases, the Team considers that significant remediation is necessary to ensure that certain firms’ controls are sufficiently robust and that they adequately protect client assets and money.

The good and poor practices outlined below are based on the findings identified across the sector. We have grouped them into key areas and included a non-exhaustive list of the GFSC’s expectations in

respect of these areas. In this way, firms can understand where improvements or changes should be made. It should be noted that these findings may not apply to all firms.

Customer Asset Management

Expectations

A DLT Provider must:

• Put in place appropriate policies, processes and procedures to protect customer assets.

Good Practice

Robust policies and procedures in place for the protection and movement of client assets/money, which are reviewed, tested, revised and updated periodically

Safeguarding and Segregation

Expectations

A DLT Provider must:

Poor Practice

Inadequate/outdated policies and procedures in place, that do not reflect practice or requirements

• Hold customer assets separately from its own assets. Customer assets must be clearly designated and easily identifiable.

• Obtain formal acknowledgement that all fiat and virtual assets held by the custodian are held in trust and that the custodian is not entitled to combine the amounts with any others or to exercise any right of set-off or counterclaim against such assets in respect of any debt owed to the custodian by the DLT Provider.

Good Practice Poor Practice

Use of separate, designated client asset/operational wallets.

Appropriate agreements/contracts in place with third party custodians that clearly stipulate that customer assets are held in trust by the custodian, that they cannot be comingled, and that they are protected in the event that the DLT Provider owes a debt to the custodian

Frequent Reconciliation

Expectations

A DLT Provider must:

Lack of segregation of custodial (customer) assets and money and firm’s own assets and money.

Failure to obtain any formal acknowledgement that customer assets held with the custodian are held in trust and that the custodian cannot comingle assets or use funds to offset debt owed to custodian by the DLT Provider

• Reconcile customer virtual assets and its own assets as a minimum once a day, and customer

fiat assets at least on a monthly basis.

• When reconciling virtual asset movements, ensure that any internally calculated balances are reconciled to the expected balance on the underlying blockchain in question.

Good Practice

Frequent (at least daily) reconciliation of internal balances against data retrieved from the DLT Provider’s own node to verify transactions, removing any reliance on other nodes or block explorers.

Poor Practice

Failure to reconcile any internally calculated balances to the expected balance on the relevant underlying blockchain.

Lack of sufficiently frequent reconciliation.

Private Key Management

Expectations

A DLT Provider should consider:

• Requiring sign-off on transactions from separate individuals to ensure that there is no single point of failure or reliance on a single party.

• Ensuring that redundant keys are assigned.

Good Practice

Implementation of a customised policy engine configuration within the custody solution to govern policies for users and transaction rules.

Poor Practice

Poor governance controls, allowing a single administrator to change user and transaction rules.

Next steps

The GFSC has finalised the onsite inspection process and has issued individual feedback to all DLT Providers Each firm has been assigned a specific supervisory plan tailored to the firm and its business model, focusing upon the risks identified during the thematic review. Where remediation is required, we are working closely with firms to ensure that any concerns and findings are appropriately addressed.

All DLT Providers must ensure that they can demonstrate that their systems and controls are robust and effective, and that they are able to comply with the ten DLT Regulatory Principles on an ongoing basis.

We are committed to working with the sector to further enhance compliance with these Principles

If you have any queries regarding the contents of this report, please contact the Distributed Ledger Technology Supervision Team on dlt@gsfc.gi or on +350 200 40283.