Financial Dealers License
Please download, fill, sign and submit your application online.
License: Vanuatu Financial Services Commission
Processing Time: 1-2 months
Requirements: Onshore Office & Local Director, Passport, Proof of Residence
Application fee: $35,000
Monthly operational fee: $2,000 (Local Director and staff)
Annual renewal fee: $4,000
Principal License (Natural Person)
- Application in Prescribed Form (Schedule 1)
- Notarized Copy of Passport
- Notarized Copy of Police Clearance (If original, certification not required)
- Certified Copies of Academic Transcripts
- Curriculum Vitae
- 2 Independent References on related experience in fund management, securities and investment
Principal License (Body Corporate)
- Application in Prescribed Form (Schedule 1)
- Certified Copy of Certificate of Incorporation
- Certified Copy of Memorandum and Articles of Association or Constitution
- Certified Copy of License to deal in securities in foreign jurisdictions
- Registered Agent and Registered Office Information
- Proof of Business Address of Applicant
- Particulars of Each Key Person as defined under Act
- Details of the Source of Funds of Capital of Applicant
- Audited financial accounts of company where company has been active for 12 months
- Director Statement detailing financial standing, current assets, contingent liabilities and professional indemnity and directors and officers liability cover
- Directors statement detailing the activity to be carried out under the license and the mediums in which this business will use
- Business plan outlining the Applicant’s internal organization, internal controls and corporate governance, including details on keeping current books and records detailing receipt of investment, how it is held and dealt with, and outline procedures for withdrawal of funds by investors or maturity of investment
- Internal risk assessment report
- Anti Money Laundering and KYC Client Compliance Policy Manual
- Disclosure of internet related business or e-commerce business links and must ensure that all websites used reflect the name and information of the Applicant
- Resolution of Directors appointing the Representative of the Principal
- Declaration by the Applicant stating that there is no reason for the Commissioner to doubt competence, integrity or financial resources to undertake this business
- Declaration by the Directors of the Applicant stating that there is no reason for the
- Commissioner to doubt competence, integrity or financial resources to undertake this business
- Copies of Registration Form For Reporting Entity Pursuant to Section 9 (3) of the Anti-Money Laundering & Counter-Terrorism Financing Act No. 13 of 2013;
- Copy of AML/ CTF Compliance Officer Contact Officer and Authority Form pursuant to Section 34 of the Anti-Money Laundering & Counter-Terrorism
- Financing Act No. 13 of 2013
- Copy of Compliance Report pursuant to Section 31 of the Anti-Money Laundering &
- Counter-Terrorism Financing Act No. 13 of 2014.
- Prospectus / Client Agreement
Representative License (Natural Person ONLY)
- Application in Prescribed Form (Schedule 2)
- Notarized Copy of Passport
- Notarized Copy of Police Clearance (If original, certification not required)
- Certified Copies of Academic Transcripts
- Curriculum Vitae
- 2 Independent References including email and telephone contact of Referee’s showing at least (3) years of professional experience confirming CV above 3(e)
- Proof of residence of Applicant
- Declaration by the Applicant stating that there is no reason for the Commissioner to doubt competence, integrity or financial resources to undertake this business
GUIDANCE NOTES ON REQUIREMENTS FOR LICENSEE APPLICATION AS A SECURITY DEALER
Guidelines on the requirements for applicants for licenses as a Securities Dealer
1. These Guidelines are issued under Section 19A of the Financial Dealers Licensing Act as amended (the Act). They provide guidance on how the Commission will assess applications for a licence as a Financial Dealer under the Act, in the light of the Financial Dealers Licensing (Amendment) Act No 31 of 2018, and (Amendment) Act N0. 9 of 2021.
The Changes Introduced by the Act
2. The Amendment Act changes the licensing requirements so as to introduce four classes of licence:
a. Class A: debenture stocks; loan stock, bonds; certificates of deposits; proceeds of foreign exchange.
b. Class B: shares in share capital of a corporation; proceed of precious metals; proceeds of commodities; a right whether or not conferred by warrant, subscribe for shares or debt securities; or a right under depository receipt;
c. Class C: Future contracts and derivative products but not limited to futures and options; an option to acquire or dispose of any security falling within any other provision of the Act; a right under a contract for the acquisition or disposal of the relevant securities under which the delivery is to be made at a future date and at a price agreed when the contract is made in accordance with the terms of that contract;
d. Class D: carry on or purport to carry on the business of dealing in digital assets
3. The following application fees will apply:-
a. Application for a principal’s licence:- VT50,000
b. Principal’s licence fee:- VT100,000
c. Application for a Representative’s licence:- VT50,000
d. Representative’s licence fee:- VT100,000
e. Manager’s application fee:- VT 50,000
f. Manager’s License fee:- VT 100,000
4. A class D principal license may only be issued to the license holders of Class A, B and C Principal’s Licenses
Term of the License
5. A license issued under the Act shall remain in force until it is revoked under the Act. The license shall be renewed upon payment of the annual fees.
The following annual fees will be applied on each anniversary of the grant of the license and is payable for the renewal and validity of the license:-
a. Principles license VT 100,000
b. Representative License VT 100,000
c. Managers License VT 100,000
Powers of the Commission
6. The Amendment Act gives the Commission the power to impose conditions on a licence.
7. The Amendment Act repeals Section 6 and introduces new requirements for applicants for licences. The full text of the Amendment Act is at Appendix 1. The key changes are as follows:
g. The Commissioner may refuse to grant an application for a licence if he is satisfied that a manager or director of an applicant for a licence is not a natural person with at least five years’ experience dealing in securities and is incompetent to meet the obligations of a licensee under the Act;
h. The Commissioner may refuse to grant an application for a licence if he is satisfied that the managers or directors of the applicant do not normally reside for 6 months within each year in Vanuatu.
i. For existing licence holders, the Commissioner may revoke a licence where he is satisfied that the licence conditions are not met
j. The Act now states that the Commissioner may refuse to grant an application for a licence if he is satisfied that an applicant has contravened the Anti-Money Laundering and Counter Terrorism Financing Act No 13 of 2014 and that contravention has resulted in the use of enforcement measure under Part 10AA of that Act. However, such a requirement had previously been applied, in effect, as a result of the Guidelines on fit and proper criteria issued under Section 19A of the Act and as detailed in the Commission’s Reference Guide on Market Entry Fit and Proper Controls.
The Introduction of the New Requirements
8. The Act came into force on the 22 July 2021. The Commission will apply the new requirements when assessing all applications that are received after the commencement date for these Guidelines, which is stated below. New licenses will not be given to applicants who fail to meet the new requirements.
9. For existing licensees whose licence was granted on or before the date of the issue of these guidelines, the Commission may decide to take no action to revoke the Principal or Representative licences for the period of the existing licence, but, except in the circumstances in paragraph 8 will normally require existing licensees to meet the new requirements before granting a new licence on the expiry of the existing licence.
10. For existing licensees whose licence expires before September 30 th 2021, the Commission may decide to take no action against a licensee whose license has expired before that date, if the Commissioner is satisfied that a genuine attempt is being made to comply with a licence by October 1st 2021.
11. For existing licensees whose licences expire before September 30 th 2021 and who do not wish to apply for a new licence, the Commission will take no action after the expiry of the licence, provided that it is satisfied that the licensee is arranging the orderly run down of its business, or the transfer of its business to a new jurisdiction before October 1st 2021.
12. However, the Commission reserves the right to take action against licensees if they fail to take action to meet the requirements or if there are other reasons for such action.
13. Under the Act, it is an offence to continue in business without a licence and, subject to paragraphs 7, 8 and 9, enforcement action will be taken against any licensee that continues to operate as a licensee after the expiry of an existing licence and before receiving a new licence.
The Application of the New Requirements
Licences for Class A, Class B, Class C and Class D securities.
14. The Amendment Act introduces four classes of licence. Any licence applicant must obtain the class of licence relevant to the business that it chooses to do. Any licence applicant that chooses to conduct business in more than one class of business as defined in Section 1(1) must make a separate application for each class of licence. There is no provision in the Act for any discount in the application fee or licence fee for applicants who wish to apply for more than one class of licence. Each separate application for each class of business must be accompanied by the application fee and licence fee as prescribed in Sections 4(1), 4(4), 4A(1) and 4A(4) of the Act.
15. The Commission must be satisfied that a licence applicant has the skills available to it to undertake the class of business for which it is seeking a licence. The Act requires each manager and director to have at least five years’ experience in securities dealing and this is discussed below. However, for the purposes of assessing applications for Class A, Class B, Class C or Class D licences, the Commission will have to be satisfied that the applicant (if an individual), or for a corporate entity, at least one executive or manager, has five years’ experience in dealing with that class of securities.
16. In addition, an applicant that is a corporate entity will have to show that the skills required for that class of business do not depend on just one executive or manager but that other employees also have relevant skills (although not necessarily five years experience). The Commission will assess this when considering competence and capability under the Fit and Proper Guidelines. The applicant’s recruitment policies required by the Fit and Proper Guidelines must also include provisions that show that the policies are designed to ensure that the applicant will always have necessary expertise for dealing in the securities for which a licence is being sought.
The experience requirement for executives and managers
17. Under the Amendment Act, the Commissioner must be satisfied that all managers or directors of each licensee must have five years’ experience dealing in securities. The Commission will apply this requirement to an individual who applies for a licence in his or her own name and to all partners who apply for a licence in the name of the partnership. In order to satisfy the Commission that this requirement is met, the applicant must supply Curriculum Vitae, as required by the Reference Guide, that are sufficiently detailed to demonstrate that the requirement for five years’ experience has been met for:
a) the individual proprietor;
b). for all partners; or
c). for all executives and managers of a corporate entity, as the case may be.
The Physical Presence requirement for Licensee
18. The amendment requires that all licensees must operate from an office in Vanuatu. The office should maintain the following system:
a). a filing system;
b). a management and accounting system;
c). a business continuity plan and any other requirements deem necessary by the VFSC for the smooth running of the business.
License Resident Manager
19. The Amendment introduces the licensing of resident manager as an alternative to having a fully fledge physical presence in Vanuatu.
An eligible person who wish to become a resident manager shall apply to the VFSC for a license in the application form approved by the Commission.
The application fee for the resident manager is VT 50,000 and the license fee is VT 100,000.
The amendment outlines the following criteria for a grant of a license to a resident manager:
a). Is a natural person; and
b). has met the fit and proper criteria as required under section 5A; and
c). has qualification and experiences in managerial services of a financial dealer security; and
d). has appropriate staffing;
e). has a physical office in Vanuatu; and
f). has resided in Vanuatu for 6 months in a year; and
g). any other requirements as the Commission may determine
20. The Amendment Act requires that all executives and managers should be resident in Vanuatu for at least six months in any one year. The Commission will apply this requirement to individual applicants for a licence and to all partners where the applicant is a partnership. References to executives in this section apply equally to managers, individual proprietors and to partners.
21. The Commission will normally require executives to be resident in Vanuatu for six months in each calendar year. However, if an executive wishes to apply the six-month rule to any other twelve month period, the Commission will be prepared to consider this. However, once an executive has determined a different twelve-month period within which they must be resident in Vanuatu for six months, they will not be permitted to change that period until five years have passed from the Commission’s agreement to use that twelve-month period.
22. A licence applicant that already meets the residence requirements for all or some executives must demonstrate adherence to that requirement by making a written undertaking that the residence requirement will continue to be met by all executives. This undertaking must be made for each executive and co-signed by each executive. The applicant must also show, for each executive:
a). Telephone bills that show calls being made or received in Vanuatu over a six-month period; and
b). Bank statements showing regular withdrawals of cash in Vanuatu over a six-month period; and
c). A lease for property rented for six months; or
d). Evidence of ownership of a residence; or
e). Any other evidence that the Commissioner considers reasonable to satisfy him that the residence requirement is met.
23. A licence applicant whose executives do not all yet meet the residence requirement must provide a written undertaking for each executive signed by the applicant and the executive concerned that the executive concerned will meet the residence requirement and state how this is to be met.
24. The Commission will normally take the view that an executive who makes and then breaches such an undertaking is not a fit and proper person and will take action accordingly.
25. The Commission will apply these Guidelines from 30 September 2021
GUIDANCE NOTES ON DIGITAL ASSETS
1. These Guidelines are issued under Section 19A of the Financial Dealers Licensing Act as amended (the Act). They provide guidance on how the Commission will assess applications for a Class D licence as a Financial Dealer under the Act, in the light of the Financial Dealers Licensing (Amendment) Act N0. 9 of 2021.
2. Section 4 of the Act as amended (the Act) provides for the licensing of Class D license to carry on business of dealing in digital assets. The Act defines digital asset as “an immaterial asset in digital form stored on a distributed ledger technology (such as blockchain) and representing a set of rights or value” . This provides the legal basis for any business operator who wishes to conduct any activity regarding Digital Assets must take this law into account and subsequent licencing requirements on top of existing licencing requirements issued by the VFSC.
3. The Financial Dealers Licensing Act provides the right to legally carry out business of dealing in securities to its owner. Any company engaged in securities business activities such as trading as a brokerage, e-wallet services (for example, PayPal), or trading in shares, debentures; loan stock; bonds; certificates of deposits; options; derivatives; credit services, Forex trading, customer depositing, digital assets etc., must obtain a license under this act.
4. The Financial Dealers Licensing (Amendment) Act No. 9 of 2021 provides for an issuance of an additional class of licence (Class D) to trade in digital assets. The Act makes it explicitly clear that the only eligible persons who could apply for this license are those holding class A, B and C licenses. No other persons would be considered for the grant of this license.
5. The VFSC considers as a Digital Asset, any token in electronic/binary form which is representative of either the holder’s access rights to a service or of the ownership of an asset. A Digital Asset, in this respect, includes a digital representation of value which:
a). Is used as a medium of exchange, unit of account, or store of value but which is not legal tender, even if it is denominated in legal tender.
b). Represent assets such as debt or equity in the promoting company; or
c). Provides access to a blockchain-based application, service or product.
A Digital Asset will, however, exclude:
a). Any transaction in which a business, as part of an affinity or rewards programme, grants value, which cannot be exchanged for legal tender, bank credit or any Digital Asset; or
b). A digital representation of value issued by or on behalf of the publisher for use within an online game platform.
6. The VFSC regulates digital assets and related products and services to the extent they fall within the existing regulatory perimeter of dealing in securities.
7. Digital assets may be or involve financial products depending on their individual features. It is the responsibility of each digital asset service provider to ensure they are complying with all relevant Vanuatu laws including the Financial Dealers Licensing Act.
8. The VFSC has limited this new asset class (Class D) to sophisticated and institutional investors only, given the high-risk nature of the asset class.
Investors who are looking for investment opportunities that produce high returns with what they may perceive as guaranteed returns. While this can make digital assets like crypto currencies appealing, there’s no such thing as a guaranteed high return.
9. What needs to be clear is that some forms of digital assets like cryptocurrencies are volatile assets. They are highly speculative and asset class remains largely immature at present. Some digital assets may be or involve financial products that are regulated, and others may not.
10. Investors and consumers are not protected if a platform fails or is hacked. In many jurisdictions like Vanuatu, crypto assets are not recognised as legal tender. Investors are only protected to the extent that they fit within existing laws. Investors must be warned that they are not protected by any regulatory or statutory provisions if their investments ended up being fraudulent or a scam. The VFSC has implicitly outlined what is defined as a digital asset and what activities are regulated.
11. Digital Asset investments carry risk and remain speculative and investors who are yet to understand the complexity of the digital asset environment need to inform themselves of the associated risks. Class D license holders must ensure that adequate information including details of associated risks must be provided to investors so that investors could make informed decisions before engaging in digital assets investment.
12. If the digital asset or token falls within the legal definition of “financial product” in the law, then that asset would be regulated in a similar way to other investments. Among other things, this involves the person issuing the asset being required to hold a Financial Dealer’s licence. If the digital asset is a financial product, such as a derivative or managed investment scheme, the issuer would then be bound by the Financial Dealers Licensing Act, and the licensing requirements.
13. VFSC also maintains a register of dealer licensees and will ensure that any party promoting or issuing a financial product, including digital assets without an authorised license issued by VFSC will be prosecuted under the relevant law.
14. Obligations under the Financial Dealers Licensing Act are stringent,
and each licensee must adhere to the licencing requirements issued by the
VFSC. If your business is involved with Digital assets such as
cryptocurrency, tokens or stable coins you are required to hold a Class D
License under the
Financial Dealers Licensing Act.
15. If your company is giving advice, dealing, or providing other intermediary services for digital assets that are financial products, a range of Vanuatu laws apply, including the requirement to hold a Class D License under the Financial Dealers Licensing Act.
16. If the digital assets stored by your business fall within the definition of a ‘financial product’, you need to ensure you hold the appropriate custodial and depository authorisations and have third party custodian arrangements in place to ensure the proper safekeeping of clients’ digital assets.
17. It is particularly important to ensure that ongoing disclosures are kept up to date, to both the investors and the regulator.
18. The Financial Dealers Licensing Act prohibits misleading or deceptive conduct in a range of circumstances, including in trade or commerce, in connection with financial services, and in relation to a financial product. The Act and its regulations that prohibit misleading or deceptive conduct may apply even if an interest in a digital asset is issued, traded or sold offshore.
19. Care should be taken to ensure promotional communications about a digital asset do not mislead or deceive potential consumers and do not contain false information. These include:
· stating or conveying the impression that a digital asset (such as cryptocurrencies) offered are not a financial product if that is not the case;
· stating or conveying the impression that a digital asset trading platform does not quote or trade financial products if that is not the case;
· using social media to generate the appearance of a greater level of public interest in a digital asset;
· undertaking or arranging for a group to engage in trading strategies to generate the appearance of a greater level of buying and selling activity for a digital asset;
· failing to disclose adequate information about the digital asset, or
· suggesting that the digital asset is a regulated product, or the regulator has approved the digital asset service provider if that is not the case.
20. A non-cash payment (NCP) facility can be a financial product which requires a VFSC financial dealer licence if payments can be made to more than one person. An intermediary that arranges for the issue of an NCP facility may need a licence, or to act on behalf of a licensee.
21. Entities may propose to issue financial products that:
· are linked to, or reference, digital assets;
· invest in digital assets, or
· otherwise enable consumers and investors to have exposure to digital assets.
If so, the entities will be providing a financial service in issuing such financial products and requires a Class D financial dealer’s licence.
22. Entities that wish to apply for a new financial dealer licence must take note of the following:
· we will assess the application under relevant policy and, based on our risk-targeted framework, consider the regulations that already apply to financial products of that type generally;
· applications for digital asset-related financial products are more likely to be novel applications – our experience to date indicates that assessment of those applications may take more time, and
· we will work with businesses to identify the issues to be addressed in the application and will issue additional guidance or license conditions if we think that doing so may be helpful to industry.
23. The VFSC has provided guidance on the meaning of ‘provide financial product advice’ and the meaning of ‘deal in a financial product’ in other licences and already provides guidance on the obligations that apply to providers of financial services.
24. An applicant seeking a class D licence must provide, not limited to the following:
· evidence of class A,B and C licenses;
· Detail business plan;
· a constitution and compliance plan;
· a compliant product disclosure statement (PDS) and comply with other disclosure obligations;
· Organizational structure with names of key individuals occupying key positions;
· Evidence of minimum unimpaired Capital of USD$ 500,000;
- Risk Management Strategy and Procedures;
· Detail information on custody arrangements;
· AML/CTF Procedures regarding provision of custody services;
· Outsourcing agreement in relation to custody arrangements;
- details of firm providing custody;
· Internal control and compliance procedure manual;
- Details of Chief Technology officer;
· details of measures to be put in place with regards to infrastructure, security and safety of digital assets;
· detail information of arrangement to ensure confidentiality, security and reliability of client(s) information;
· Copy of promotion material(s) to be use in connection with the proposed business.
25. A Class D license holder must establish a physical presence in Vanuatu with the following key persons present in Vanuatu:
· At least one director;
· A Manager;
· A Chief Technology officer.
26. Initial coin offering (ICO) is prohibited under Class D license. This means that coin offering is illegal and cannot be issued by the holder of class D license.
27. A holder of Class D license must establish an Escrow Account where investor’s funds are held separately from the company’s funds. The escrow account must be audited annually by an independent auditor and the audit reports must be file at VFSC, together with the company accounts no later than 90 days after the financial year.
28. A holder of Class D license must ensure full compliance with the Anti- Money Laundering and Counter -Terrorism Financing Act No. 13 of 2014. This includes applying KYC principals such as CDD and ECDD when required and details of UBO of digital assets being traded must be kept on record and provided to VFSC.
GUIDANCE NOTES ON LICENSED RESIDENT MANAGERS
1. This guideline is issued to provide further clarification to section 4AB of the Financial Dealers Amendment Act No. 9 of 2021, on the requirement of the licensed resident manager of the Financial Dealer in Securities. Section 4AC of the Financial Dealers Licensing Act CAP 70, requires that the applicant must be a natural person.
2. The intention of the licensed resident manager is to act and manage the business on behalf of a financial dealer in securities who for some valid reasons could not establish or meet a physical presence requires under the act. As license resident manager, the licensee must have its own separate, stand-alone (as opposed to shared) premises, records, management staff and key equipment, and the software system that is fully control in Vanuatu. A person applying for the grant of a Managers license will have to present evidence that all these requirements exist before a license will be granted. All managers license applications will be dealt with on a case – by – case basis and it is the responsibility of the directors, managers and key persons to ensure that all these requirements are prearranged and are in order before a license is issued.
3. The person applying for the resident manager’s license must complete the application form approved by the Commission and complete a personal questionnaire form attached with the application form and provide supporting evidence to convince the VFSC that they have the knowledge and skills to manage a licensed security dealer on behalf of its owners. The VFSC would require copies of their CVs and qualifications and at least two references to support their application.
4. If a body corporate is applying for the resident manager’s license, the director/partner/manager and staff who would be directly involved in the management of the licensed security dealers must be clearly stated and supported by their CVs and copies of their qualifications.
5. Where a licensed resident manager proposes to outsource aspects of its activities, it should provide the VFSC with full details of the proposal. Outsourcing should be undertaken using a written legally binding agreement which should specify, for example, the nature of the service, performance benchmarks, confidentiality of data/information, exit and, in the extreme termination provisions.
4. Licensed resident managers must have dedicated premises, staff and systems and without such it will be difficult to show that there is an appropriate control environment. The VFSC has no objection to shared reception, conference facilities or security services, however the key components of the business operations and decision making must be kept separate from other related entities.
5. The licensed resident manager’s premises need to be separate and distinct. Licensed resident manager and staff should occupy separate offices and have their equipment (e.g. computers, files and filing system). A workstation in an open plan office would not suffice. The premises should be clearly identified as being the office of the licensed resident manager
6. The premises must have direct public access. This may be by a corridor or other public area within a building. Access through an open plan office would not suffice.
7. There is no requirement for the premises to be opened or manned at any specified time. The premises are expected to be opened at advertised times for some period on normal working days.
8. Notwithstanding paragraph 6, the VFSC will expect to have continuous access to management and information to enable it to conduct on-site inspections of the licensee.
9. Licensed resident managers can managed more than one licensed financial dealer, however VFSC expects that the bigger and more complex the manager’s business the more staff would be required to manage the business operations and to maintain all necessary records. The precise number of staff can only be assessed against the intended business plan, taking into account the necessary systems and normal spread of control concepts to manage the licensee’s activities.
9. There must be at least one person who is a direct employee of the licensed resident Manager and who meets the requirements of the “fit and proper” criteria, as issued under the “Fit and Proper” guideline.
10. To satisfy the requirements of the physical presence, the licensed resident manager must be able to show that he/she is vested with some executive powers to manage the day-to-day operations of the licensed financial dealer.
GUIDANCE NOTES ON CUSTODY OF DIGITAL ASSETS
The Commission is issuing this guideline in accordance with Section 19A of the Financial Dealers Licensing Act No. 9 of 2021.
The Commission does not envisages that the Financial Dealers licensed under the Financial Dealers Licensing Act to perform the full set of dealers and securities functions with respect to digital assets including maintaining custody of these assets unless they fully understand the inherent risks and have established mechanisms in a manner that addresses the unique risks attributes of digital assets and minimizes risk to investors and other market participants.
For purposes of this guideline, the term “digital asset” refers to an asset that is issued and/or transferred using distributed ledger or blockchain technology (“distributed ledger technology”), including, but not limited to, “virtual currencies,” “coins,” and “tokens.”
The focus of this guideline is digital assets that rely on cryptographic protocols. A digital asset meets the definition of a “security” as a new asset class under the Financial Dealers Licensing Act.
Customers who deal in digital assets through the Financial Dealers licensed by the Commission to trade or custody of their digital assets are not protected by any statutory compensation in Vanuatu. Investors who trade in digital assets with these licensees or use them as custodian of their digital assets, do so at their own risk.
Financial Dealers acting as custodian of traditional securities is an integral part of their service, however, custody of digital assets raises certain compliance questions with respect to the Customer Protection requirements, as it may not be possible for a financial dealer to establish control over a digital asset with the same control mechanisms used in connection with traditional securities. Moreover, there have been instances of fraud, theft, and loss with respect to the custodianship of digital assets. Therefore VFSC would not accept a financial dealer licensed under the Financial Dealers Licensing Act to provide custodian services for Digital Assets unless they can provide evidence that they understand the risks and have established mitigating factors to manage the risks.
The risks associated with digital assets, are due in part to differences in the clearance and settlement of traditional securities and digital assets. Traditional securities transactions generally are processed and settled through clearing agencies, depositories, clearing banks, transfer agents, and issuers. A Financial Dealer’s employees, regulators, and external auditors can contact these third parties to confirm that the financial dealer is in fact holding the traditional securities reflected on its books and records and financial statements, thereby providing objective processes for examining the broker’s compliance with the Customer Protection. Also, the traditional securities infrastructure has established processes to reverse or cancel mistaken or unauthorized transactions. Thus, the traditional securities infrastructure contains checks and controls that can be used to verify proprietary and is designed “to give more specific protection to customer funds and securities, in effect forbidding brokers and dealers from using customer assets to finance any part of their businesses unrelated to servicing securities customers; e.g., a firm is virtually precluded from using customer funds to buy securities for its own account”).
3. RISK - DISTRIBUTED LEDGER TECHNLOGY
Digital assets that are issued or transferred using distributed ledger technology may not be subject to the same established clearance and settlement process familiar to traditional securities market participants. The manner in which digital assets are issued, held, or transferred may create greater risk for financial dealers who are maintaining custody of this type of asset. For example, a Financial Dealer could be victimized by fraud or theft, could lose a “private key” necessary to transfer a client’s digital assets, or could transfer a client’s digital assets to an unintended address without the ability to reverse a fraudulent or mistaken transaction.
In addition, malicious activity attributed to actors taking advantage of potential vulnerabilities that may be associated with distributed ledger technology and its associated networks could render the Financial Dealers unable to transfer a customer’s digital assets.
The potential liabilities caused by the theft or loss of property from a custodian, including digital assets, could cause the Financial Dealer to incur substantial losses or even fail, impacting customers and other creditors.
A custodian that maintains custody of a fully paid or excess margin digital asset for a customer must hold it in a manner that is safe and secure, including that the digital asset must be in the exclusive physical possession or control of the custodian. A digital asset that is not in the exclusive physical possession or control of the custodian because, for example, an unauthorized person knows or has access to the associated private key (and therefore has the ability to transfer it without the authorization of the custodian) would not be considered as being held in a manner that is safe and secure.
As noted above, the loss or theft of digital asset may cause the firm and its digital asset customers to incur substantial financial losses. This, in turn, could cause the firm to fail, imperilling its traditional securities customers as well as the financial dealer’s counterparties and other market participants.
4. VFSC POSITION
VFSC therefore requires that a firm providing custodian services of digital assets, must be a licensed custodian, well capitalized and well regulated by a reputable regulator in another jurisdiction.
A firm providing custody over digital assets must ensure that:
· It take appropriate measures to shield traditional securities customers, counterparties, and market participants from the risks and consequences of digital asset fraud, theft, or loss.
· Must be professional custodian operating in well regulated jurisdiction;
· Must be sufficiently capitalised;
· operate in a manner consistent with the Commission’s position, that it could not deal in, effect transactions in, maintain custody of, or operate an alternative trading system for traditional securities.
· by limiting its activities exclusively to digital asset, the custodian would shield its customers from the risks that could arise if the firm engaged in activities involving non-digital assets.
· A custodian must establish, maintain, and enforce reasonably designed written policies and procedures to conduct and document the safe keeping of digital asset. Such policies and procedures should provide a reasonable level of assurance that any digital assets held in custody by the firm are in fact digital asset and not other types of securities.
5. POLICIES, PROCEDURES AND ASSESSMENT OF DISTRIBUTED LEDGER TECHNILOGY
A firm providing custody services must establish, maintain, and enforce reasonably designed written policies and procedures to conduct and document an assessment of the characteristics of a digital asset’s distributed ledger technology and associated network prior to undertaking to maintain custody of the digital asset and at reasonable intervals thereafter. The assessment should examine at least the following aspects of the distributed ledger technology and its associated network, among others:
a) performance (i.e., does it work and will it continue to work as intended);
b) transaction speed and throughput (i.e., can it process transactions quickly enough for the intended application(s));
c) scalability (i.e., can it handle a potential increase in network activity);
d) resiliency (i.e., can it absorb the impact of a problem in one or more parts of its system and continue processing transactions without data loss or corruption);
e) security and the relevant consensus mechanism (i.e., can it detect and defend against malicious attacks, such as 51% attacks or Denial-of-Service attacks, without data loss or corruption);
f) complexity (i.e., can it be understood, maintained, and improved);
g) extensibility (i.e., can it have new functionality added, and continue processing transactions without data loss or corruption); and
h) visibility (i.e., are its associated code, standards, applications, and data publicly available and well documented).
The assessment also should examine the governance of the distributed ledger technology and associated network and how protocol updates and changes are agreed to and implemented. This would include an assessment of impacts to the digital asset of events such as protocol upgrades, hard forks, airdrops, exchanges of one digital asset for another, or staking. Such assessments would allow a firm to be able to identify significant weaknesses or other operational issues with the distributed ledger technology and associated network utilized by the digital asset, or other risks posed to the firm’s business by the digital asset. That would allow the firm to take appropriate action to identify and reduce its exposure to such risks. Accordingly, if there are significant weaknesses or other operational issues with the distributed ledger technology and associated network, the firm would be able to determine whether it could or could not maintain custody of the digital asset.
6. POLICIES, PROCEDURES AND SAFEKEEPING OF DIGITAL ASSETS
A firm providing custody services must establish, maintain, and enforce reasonably designed written policies, procedures, and controls for safekeeping and demonstrating that the firm has exclusive possession or control over the digital assets that are consistent with industry best practices to protect against the theft, loss, and unauthorized and accidental use of the private keys necessary to access and transfer the digital assets the firm holds in custody. These policies, procedures, and controls should address, among other matters:
a) the on-boarding of a digital assets such that the firm can associate the digital asset security to a private key over which it can reasonably demonstrate exclusive physical possession or control;
b) the processes, software and hardware systems, and any other formats or systems utilized to create, store, or use private keys and any security or operational vulnerabilities of those systems and formats;
c) the establishment of private key generation processes that are secure and produce a cryptographically strong private key that is compatible with the distributed ledger technology and associated network and that is not susceptible to being discovered by unauthorized persons during the generation process or thereafter;
d) measures to protect private keys from being used to make an unauthorized or accidental transfer of a digital asset held in custody by the firm; and
e) measures that protect private keys from being corrupted, lost or destroyed, that back-up the private key in a manner that does not compromise the security of the private key, and that otherwise preserve the ability of the firm to access and transfer a digital asset security it holds in the event a facility, software, or hardware system, or other format or system on which the private keys are stored and/or used is disrupted or destroyed. These policies, procedures, and controls for safekeeping and demonstrating the firm has exclusive possession or control over digital assets should serve to protect against the theft, loss, and unauthorized and accidental use of the private keys and therefore the customers’ digital assets.
7. POLICIESS AND PROCEDURES TO ADDRESS FUTURE EVENTS
A firm providing custody services must establish, maintain, and enforce reasonably designed written policies, procedures, and arrangements to:
a) specifically identify, in advance, the steps it intends to take in the wake of certain events that could affect the firm’s custody of the digital assets, including blockchain malfunctions, 51% attacks, hard forks, or airdrops;
b) allow the firm to comply with a court-ordered freeze or seizure; and
c) allow the transfer of the digital asset held by the firm to another special purpose broker-dealer, a trustee, receiver, liquidator, a person performing a similar function, or another appropriate person, in the event the custodian can no longer continue as a going concern and self-liquidates or is subject to a formal bankruptcy, receivership, liquidation, or similar proceeding. These policies and procedures should include measures for ensuring continued safekeeping and accessibility of the digital assets, even if the firm is wound down or liquidated, and thus would provide a reasonable level of assurance that a firm has developed plans to address unexpected disruptions to its control over the digital asset.
8. POLICIES AND PROCEDURES ON INVESTMENT RISK IN DIGITAL ASSETS
A firm providing custody services must have written disclosures to prospective customers about the risks of investing in or holding digital assets. The disclosures could include, among other matters:
a) prominent disclosure explaining that digital asset may not be “securities” as defined in the Financial Dealers Licensing Act, in particular, digital asset that are “investment contracts” but are not registered with the Commission or are excluded from definition of “securities” in the Financial Dealers Licensing Act and thus the protections under the laws of Vanuatu may not apply with respect to those securities;
b) a description of the risks of fraud, manipulation, theft, and loss associated with digital asset;
c) a description of the risks relating to valuation, price volatility, and liquidity associated with digital assets; and
d) a description of the processes, software and hardware systems, and any other formats or systems utilized by the firm to create, store, or use the firm’s private keys and protect them from loss, theft, or unauthorized or accidental use (including, but not limited to, cold storage, key sharding, multiple factor identification, and biometric authentication).
The purpose of such disclosures is to provide the prospective customers with sufficient and easily understandable information about the risks to enable them to make informed decisions about whether to invest in or hold digital assets through the Class D Licensee.
9. CUSTOMER WRITTEN AGREEMENT
A firm providing custody services must enter into a written agreement with each customer that sets forth the terms and conditions with respect to receiving, purchasing, holding, safekeeping, selling, transferring, exchanging, custodying, liquidating, and otherwise transacting in digital assets on behalf of the customer. This step would ensure documentation of the terms of agreement between the customer and the custodian providing custody of the customer’s digital asset, which would provide greater clarity and certainty to customers regarding their rights and responsibilities under the agreement with the custodian.
10. AML/CFT PROCEDURE
A firm providing custody services must establish AML/CTF procedures to ensure compliance with the Anti-Money Laundering and Terrorist Financial Act of Vanuatu.
For the purposes of this guidance notes, the following definition shall apply:
a “51% attack ” is an attack on a blockchain or distributed ledger in which an attacker or group of attackers controls a majority of the network’s hash rate, mining or computing power, allowing the attacker or group of attackers to prevent new transactions from being confirmed.
“Hard forks” refer to backward-incompatible protocol changes to a distributed ledger that create additional versions of the distributed ledger, potentially creating new digital assets.
“Airdrops” refer to the distribution of digital assets to numerous addresses, usually at no monetary cost to the recipient or in exchange for certain promotional services.
“Staking ” refers to the use of a digital asset in a consensus mechanism.
“Sharding ” is a method for distributing data across multiple machines
GUIDANCE NOTES ON PHYSICAL PRESENCE CRITERIA
1. This guideline is issued to provide further clarification on the requirement of the physical presence of a Financial Dealer Licensee.
2. The intention of the physical presence requires that each licensee must have its own separate, stand-alone (as opposed to shared) premises, records, management staff and key equipment, and the software system that is fully control in Vanuatu. A person applying for the grant of a license will have to present evidence that all these requirements exist before a license will be granted. All license applications will be dealt with on a case – by – case basis and it is the responsibility of the directors, managers and key persons to ensure that all these requirements are prearranged and are in order before a license is issued unless the licensee is intended to use a licensed Manager to run its business in Vanuatu. It is not possible for this Guideline to address all possibilities and licensees are therefore encouraged to discuss proposals, which may include the outsourcing of aspects of their operations, with the Vanuatu Financial Services Commission prior to finalization of their applications.
3. Where a licensee proposes to outsource aspects of its activities, it should provide the VFSC with full details of the proposal. Outsourcing should be undertaken using a written legally binding agreement which should specify, for example, the nature of the service, performance benchmarks, confidentiality of data/information, exit and, in the extreme termination provisions.
4. Licensees must have dedicated premises and without such it will be difficult to show that there is an appropriate control environment. The VFSC has no objection to shared reception, conference facilities or security services, however the key components of the business operations and decision making must be kept separate from other related entities.
5. The licensee’s premises need to be separate and distinct. Licensees should occupy separate offices and have their equipment (e.g. computers, files and filing system). A workstation in an open plan office would not suffice. The premises should be clearly identified as being the office of the licensee.
6. The premises must have direct public access. This may be by a corridor or other public area within a building. Access through an open plan office would not suffice.
7. There is no requirement for the premises to be opened or manned at any specified time. The premises are expected to be opened at advertised times for some period on normal working days.
8. Notwithstanding paragraph 6, the VFSC will expect to have continuous access to management and information to enable it to conduct on-site inspections of the licensee.
9. VFSC expects that the bigger and more complex the licensee’s business the more staff would be in Vanuatu to manage the business operations and to maintain all necessary records. The precise number of staff can only be assessed against the intended business plan, taking into account the necessary systems and normal spread of control concepts to manage the licensee’s activities.
9. There must be at least one person who is a direct employee of the licensee and who meets the requirements of the “fit and proper” criteria, as issued under the “Fit and Proper” guideline. .
10. To satisfy the requirements of the physical presence, the licensee must be able to show that a person appointed to manage the operation in Vanuatu is vested with some executive powers to manage the day-to-day operations of the dealer.
GUIDANCE NOTES ON OUTSOURCING ARRANGEMENTS
Non-Bank Financial institutions including Financial Dealers in Securities outsource business activities, functions and processes to meet the challenges of technological innovation, increased specialization, cost control, and heightened competition. However, outsourcing can increase an institution's dependence on third parties, which may increase its risk profile.
Many financial sector regulators have responded by introducing guidance related to the management of outsourcing risks, hence VFSC is issuing this guidance on the same basis.
This Guideline sets out VFSC’s expectations for financial dealers who are regulated entities under the Financial Dealers Licensing Act that outsource, or contemplate outsourcing, one or more of their business activities to a service provider. These expectations should be considered prudent practices, procedures or standards that should be applied according to the characteristics of the outsourcing arrangement and the circumstances of the licensee.
Financial Dealers have the flexibility to configure their operations in the way most suited to achieving their corporate objectives. However, this Guideline operates on the premise that licensed entities retain ultimate accountability for all outsourced activities . Furthermore, VFSC’s supervisory powers should not be constrained, irrespective of whether an activity is conducted in-house, outsourced, or otherwise obtained from a third party.
Under this Guideline, licensed entities who have outsourced or wish to outsource part of their management functions to a third party are expected to:
· evaluate the risks associated with all existing and proposed outsourcing arrangements;
· develop a process for determining the materiality of arrangements;
· implement a program for managing and monitoring risks, commensurate with the materiality of the arrangements;
· ensure that senior management receives information sufficient to enable them to discharge their duties under this Guideline.
· For the purposes of this Guideline, an outsourcing arrangement is an agreement between a Licensee and a service provider, whereby the service provider performs a business activity, function or process that is, or could be, undertaken by the Licensee itself. A Licensee may consult with VFSC when they are uncertain whether a particular arrangement falls within this definition.
3. At a minimum, VFSC expects the following to be addressed when a Licensee enters into a material outsourcing arrangement with another entity:
a) a holder of Class D license cannot outsource the position of the “Chief Technology officer”.
b). an outsourcing agreement that details, among other things, the scope of the arrangement, the services to be supplied, the nature of the relationship between the Licensee and the service provider, and procedures governing the subcontracting of services;
c) an appropriate business continuity plan;
d) a process for monitoring and oversight;
e) a due diligence process that addresses the qualitative aspects of the arrangement, particularly those pertaining to the unique operational requirements of the Licensee;
f) procedures governing the subcontracting of services;
g) legislative requirements relating to location of records
4. Accountability and Control
A Licensee should have appropriate risk management policies and practices that are regularly reviewed. In terms of the specific risks arising from outsourcing, it is expected that, in carrying out this duty, senior management would periodically:
· approve or reaffirm the policies that apply to outsourcing arrangements (e.g., risk philosophy, materiality criteria, risk management program and approval limits); and
· review a list of all the Licensee’s material outsourcing arrangements and other relevant reports, when appropriate
5. Assessment for Outsourcing Arrangements
VFSC expects that a Licensee will design a risk management program that applies to all its outsourcing arrangements. Without limiting the scope of the assessment, factors that the Licensee should consider include:
a) the impact of the outsourcing arrangement on the finances, reputation and operations of the Licensee, or a significant business line, particularly if the service provider, or group of affiliated service providers, should fail to perform over a given period of time;
b) the ability of the Licensee to maintain appropriate internal controls and meet regulatory requirements, particularly if the service provider were to experience problems;
c) the cost of the outsourcing arrangement;
d) the degree of difficulty and time required to find an alternative service provider or to bring the business activity 'in-house'; and
e) the potential that multiple outsourcing arrangements provided by the same service provider can have an important influence – in aggregate – on the Licensee
6. Risk Management Program for Material Outsourcing Arrangements
In general, VFSC expects that a Licensee will design a risk management program that applies to all its outsourcing arrangements, except those that are clearly immaterial, and that the risk mitigation employed will be commensurate with the Licensee’s assessment of the risks associated with the particular outsourcing arrangement.
7. Due Diligence Processes
VFSC expects a Licensee to conduct an internal due diligence to determine the nature and scope of the business activity to be outsourced, its relationship to the rest of the entity’s activities, and how the activity is managed.
In selecting a service provider, or substantially amending or renewing a contract or outsourcing agreement, Licensees are expected to undertake a due diligence process that fully assesses the risks associated with the outsourcing arrangement, and addresses all relevant aspects of the service provider, including qualitative (i.e., operational) and quantitative (i.e., financial) factors. When out-of-Vanuatu outsourcing is being contemplated, the Licensee should pay particular attention to the legal requirements of that jurisdiction, as well as the potential foreign political, economic and social conditions, and events that may conspire to reduce the foreign service provider's ability to provide the service, as well as any additional risk factors that may require adjustment to the risk management program.
8. Policies and Procedures to Manage Risks Associated with Material Outsourcing Arrangements
Contract for Services
VFSC expects material outsourcing arrangements to be documented by a written contract that addresses all elements of the arrangement and has been reviewed by the Licensee’s legal counsel. Some of the items identified below may not be applicable in all circumstances; however, Licensees are expected to address all issues relevant to managing the risks associated with each outsourcing arrangement to the extent feasible and reasonable given the circumstances, and having regard to the interests of the Licensee.
a) Nature and Scope of the Service Being Provided
The contract or outsourcing agreement is expected to specify the scope of the relationship, which may include provisions that address the frequency, content and format of the service being provided. The contract or outsourcing agreement is expected to detail the physical location where the service provider will provide the service.
b) Performance Measures
Performance measures should be established that allow each party to determine whether the commitments contained in the contract are being fulfilled.
c) Reporting Requirements
The contract or outsourcing agreement is expected to specify the type and frequency of information the Licensee receives from the service provider. This would include reports that allow the Licensee to assess whether the performance measures are being met and any other information required for the Licensee’s monitoring program. In addition, the contract or outsourcing agreement is expected to include procedures and requirements for the service provider to report events to the Licensee that may have the potential to materially affect the delivery of the service.
d) Dispute Resolution
VFSC expects the contract or outsourcing agreement to incorporate a protocol for resolving disputes. The contract or outsourcing agreement should specify whether the service provider must continue providing the service during a dispute and the resolution period, as well as the jurisdiction and rules under which the dispute will be settled.
e) Defaults and Termination
The contract or outsourcing agreement is expected to specify what constitutes a default, identify remedies, and allow for opportunities to cure defaults or terminate the agreement. The Licensee is expected to ensure that it can reasonably continue to process information and sustain operations in the event that the outsourcing arrangement is terminated or the service provider is unable to supply the service. Appropriate notice should be required for termination of service and the Licensee’s assets should be returned in a timely fashion. In particular, data and records relating to data processing outsourcing arrangements should be returned to the Licensee a format that would allow the Licensee to sustain business operations without prohibitive expense.
The contract or outsourcing agreement should not contain wording that precludes the service from being continued in situations where the Licensee is in liquidation.
f) Ownership and Access
Identification and ownership of all assets (intellectual and physical) related to the outsourcing arrangement should be clearly established, including assets generated or purchased pursuant to the outsourcing arrangement. The contract or outsourcing agreement should state whether and how the service provider has the right to use the Licensee's assets (e.g., data, hardware and software, system documentation or intellectual property) and the Licensee's right of access to those assets.
g) Contingency Planning
The contract or outsourcing agreement should outline the service provider's measures for ensuring the continuation of the outsourced business activity in the event of problems and events that may affect the service provider's operation, including systems breakdown and natural disaster, and other reasonably foreseeable events. The Licensee should ensure that the service provider regularly tests its business recovery system as it pertains to the outsourced activity, notifies the Licensee of the test results, and addresses any material deficiencies. The Licensee is expected to provide a summary of the test results to VFSC upon request. In addition, the Licensee should be notified in the event that the service provider makes significant changes to its business resumption and contingency plans, or encounters other circumstances that might have a serious impact on the service.
h) Audit Rights
The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the Licensee. At a minimum, it should give the Licensee the right to evaluate the service provided or, alternatively to cause an independent auditor to evaluate, on its behalf, the service provided. This includes a review of the service provider's internal control environment as it relates to the service being provided.
j) Confidentiality, Security and Separation of Property
At a minimum, the contract or outsourcing agreement is expected to set out the Licensee’s requirements for confidentiality and security. Ideally, the security and confidentiality policies adopted by the service provider would be commensurate with those of the Licensee and should meet a reasonable standard in the circumstances. The contract or outsourcing agreement should address which party has responsibility for protection mechanisms, the scope of the information to be protected, the powers of each party to change security procedures and requirements, which party may be liable for any losses that might result from a security breach, and notification requirements if there is a breach of security.
VFSC expects appropriate security and data confidentiality protections to be in place. The service provider is expected to be able to logically isolate the Licensee's data, records, and items in process from those of other clients at all times, including under adverse conditions.
The contract or outsourcing agreement should fully describe the basis for calculating fees and compensation relating to the service being provided.
The service provider should be required to notify the Licensee about significant changes in insurance coverage and disclose general terms and conditions of the insurance coverage.
Location of Records
In accordance with the Financial Dealers Licensing Act and other relevant legislations, certain records of entities carrying on business in Vanuatu should be maintained in Vanuatu. In addition, the Licensee is expected to ensure that VFSC can access in Vanuatu any records necessary to enable VFSC to fulfil its supervisory mandate.
9. Business Continuity Plan
A Licensee’s business continuity plan should address reasonably foreseeable situations (either temporary or permanent) where the service provider fails to continue providing service. The business continuity plan and back-up systems should be commensurate with the risk of a service disruption. In particular, the Licensee's business continuity plan should ensure that the Licensee has in its possession, or can readily access, all records necessary to allow it to sustain business operations, meet its statutory obligations, and provide all information as may be required by VFSC to meet its supervisory mandate, in the event the service provider is unable to provide the service.
10. Outsourcing in Foreign Jurisdictions
When the material outsourcing arrangement results in services being provided in a foreign jurisdiction, the Licensee’s risk management program should be enhanced to address any additional concerns linked to the economic and political environment, technological sophistication, and the legal and regulatory risk profile of the foreign jurisdiction(s).
11. Monitoring and Oversight of Material Outsourcing Arrangements
Every Licensee engaged in material outsourcing should develop, implement and oversee procedures to monitor and control outsourcing risks in accordance with its outsourcing risk-management policies. The sophistication of the procedures should be commensurate with the size and complexity of the outsourcing arrangement(s) and with the expectations of this Guideline. Management is expected to prepare reports based on the Licensee’s monitoring and oversight activities. These reports may outline the success of the outsourcing arrangement and the effectiveness of the risk management program and may be reflected in the documentation delivered to the Licensee’s senior management. .
12. Monitoring the Outsourcing Arrangement
The Licensee should monitor all material outsourcing arrangements to ensure that the service is being delivered in the manner expected and in accordance with the terms of the contract or outsourcing agreement. Monitoring may take the form of regular, formal meetings with the service provider and/or periodic reviews of the outsourcing arrangement’s performance measures. Within a reasonable time, the LICENSEE should advise VFSC of any events that are likely to have a significant negative impact on the delivery of the service.
13. A Licensee should review its material outsourcing arrangements to ensure compliance with its outsourcing risk policies and procedures and with the expectations of this Guideline. Reviews of material outsourcing arrangements should be periodically undertaken by the Licensee's internal audit department or another independent review function either internal or external to the Licensee, provided it has the appropriate knowledge and skills. The Licensee’s senior management, will always retain overall accountability for the outsourcing arrangement.
Reviews should test the Licensee's risk-management activities for outsourcing in order to:
· ensure risk-management policies and procedures for outsourcing are being followed;
· ensure effective management controls over outsourcing activities;
· verify the adequacy and accuracy of management information reports; and
· ensure that personnel involved in risk-management for outsourcing are aware of the Licensee’s risk-management policies and have the expertise required to make effective decisions consistent with those policies.
Management should adjust the scope of the review depending on the nature of the outsourcing arrangement.
14. Monitoring the Service Provider
At least annually, the Licensee should review the service provider to ascertain its ability to continue to deliver the service in the manner expected. This review would be commensurate with the level of risk involved and could include an assessment of the service provider's circumstances including its financial strength, prospects, technical competence, and use and performance of significant subcontractors.
Annex 1 - Examples of Outsourcing Arrangements
The outsourcing domain is diverse and growing. Some examples may include:
· Information system management and maintenance (e.g., data entry and processing, data centres, facilities management, end-user support, local area networks, help desks);
· Custody of digital assets or security tokens
· Document processing (e.g., cheques, credit card slips, bill payments, bank statements, other corporate payments);
· Application processing (e.g., insurance policies, loan originations, credit cards);
· Policy administration (e.g., premium collection, policy assembly, invoicing, endorsements);
· Claims administration (e.g., loss reporting, adjusting);
· Loan administration (e.g., loan negotiations, loan processing, collateral management, collection of bad loans);
· Investment management (e.g., portfolio management, cash management);
· Marketing and research (e.g., product development, data warehousing and mining, advertising, media relations, call centres, telemarketing);
· Back office management (e.g., electronic funds transfer, payroll processing, custody operations, quality control, purchasing);
· Real estate administration (e.g., building maintenance, lease negotiation, property evaluation, rent collection);
· Professional services related to the business activities of the Licensee (e.g., accounting, internal audit, actuarial); and
· Human resources (e.g., benefits administration, recruiting).
This Guideline generally would not apply to the following:
· Courier services, regular mail, utilities, telephone;
· Procurement of specialized training;
· Discrete advisory services (e.g., legal opinions, certain investment advisory services that do not result directly in investment decisions, independent appraisals, trustees in bankruptcy);
· Purchase of goods, wares, commercially available software and other commodities
· Independent audit reviews;
· Credit background and background investigation and information services;
· Market information services (e.g., Bloomberg, Moody's);
· Independent consulting;
· Services the LICENSEE is not legally able to provide;
- Printing services;
· Repair and maintenance of fixed assets;
· Supply and service of leased telecommunication equipment;
· Travel agency and transportation services;
· Correspondent banking services;
· Maintenance and support of licensed software;
· Temporary help and contract personnel;
· Fleet leasing services;
- Specialized recruitment;
- External conferences;
· Clearing and settlement arrangements between members or participants of recognized clearing and settlement systems;
· Sales of insurance policies by agents or brokers;
· Ceded insurance and reinsurance ceded; and
- Syndication of loans.
GUIDANCE NOTES ON RISK MANAGEMENT
These Guidelines are issued under Section 19A of the Financial Dealers Licensing Act as amended (the Act).
The purpose of this guideline is to set out the high level principles for Financial Dealers to identify and manage their inherent risks. Each licensee is required to submit a written Risk Management policy and procedure to VFSC covering all identified inherent risk and the mitigating factors put in place to manage those risks. The high level principles for risk management would be subject to regular update and amendment, as required. Amendments to risk management document are to be approved by the Board of Directors. The risk management document must be reviewed at least annually in connection with changes in the technology, market environment and when maximum limits for risk exposure are reviewed and amended.
2. DEFINITION OF RISK MANAGEMENT
Risk Management is the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk. It is important that employees and directors of the Company manage risk for the benefits of its stakeholders.
3. STRATEGY TO MANAGE RISK
A holder of Class A, B, C and D license must have a sound strategy to manage risks arising from its core business activities. The licensee should first determine its risk tolerance, i.e. the level of risk that it is able and prepared to bear, taking into account its business objectives and available resources. In formulating its risk management strategy, the licensee should consider the following:
• the prevailing and projected technology, economic and market conditions and their impact on the risks inherent in its core activities;
• the available expertise to achieve its business targets in specific market segments and its ability to identify, monitor and control the risks in those market segments; and
• its mix of business/type of risks undertaken and the resulting concentration risks which may lead to volatility in business income and profitability.
A licensee should periodically review its risk management strategy taking into account its own financial performance and market developments. When there are material changes to its operations or its business strategy, the Licensee should review its risk management strategy appropriately to take account of the changes. The strategy should be properly documented and effectively communicated to all relevant staff. There should be a process to approve proposed deviations from the approved strategy, and systems and controls to detect unauthorised deviations.
A Licensee should adopt a risk management structure that is commensurate with its size and nature of its activities. The organisational structure should facilitate effective management oversight and execution of risk management and control processes.
The Board of Directors is ultimately responsible for the sound and prudent management of a licensee. The Board should approve the risk management strategy and risk policies pertaining to core business activities. It should ensure that adequate resources, expertise and support are provided for the effective implementation of the licensee’s risk management strategy, policies and procedures. It should also be the approving authority for changes to such policies, and ensure that any exceptions, which can include circumstances where delegation may be proposed, should be escalated and approved by it, where necessary. The reasons for these changes and exceptions should be documented. Such documentation should also be available upon request to the external auditor and the regulator.
The senior management, or a committee comprising members of senior management from both the business operations and control functions, should establish the risk management framework. The framework should cover areas such as approval of business and risk strategy, review of the risk profile, implementation of risk policies approved by the Board, delegation of authority and evaluation of the business processes. There should be adequate measures to address potential conflicts of interest. For example, the member of senior management approving the base rate of investment in securities product should not have marketing responsibilities and there should be proper segregation of responsibilities from client investment handling and settlement responsibilities.
A licensee should establish a risk management function, preferably independent from the operational processes, if warranted by the size and complexity of its operations. This function would be primarily responsible for the development of and ensuring compliance with the licensee’s risk management policies and procedures.
5. POLICIES AND PROCEDURES
Risk policies should set out the conditions and guidelines for the identification, acceptance, monitoring and management of risks. These policies should be well-defined and consistent with the licensee’s risk strategy, as well as adequate for the nature and complexity of its activities. They should also help explain the relationship of the risk management system to the company’s overall governance framework and to its corporate culture. The policies should, at a minimum, cover the following:
• the identification, measurement and communication of key
risks to the Board;
• the process by which the Board decides on the maximum amount of risk the company is able to take, as well as the frequency of review of risk limits;
• the roles and responsibilities of the respective units and staff involved in acceptance, monitoring and management of risks;
• the approval structure for product development, pricing, investment underwriting, and handling of payment settlements, including authority to approve deviations and exceptions;
• the management of concentration risk and exposures to catastrophic events, portfolio monitoring and stress testing.
In order to be effective, policies should be communicated regularly throughout the organisation and should be revised periodically to take into account changing internal and external circumstances. There should also be regular training on risk policies.
The licensee should establish appropriate procedures and processes to implement its risk policies in the form of controls, checks and monitoring mechanisms. These should be documented and set out in sufficient detail to provide operational guidance to staff.
The licensee should have in place proper and effective reporting systems to satisfy the requirements of the Board with respect to reporting frequency, level of detail, usefulness of information and recommendations to address issues of concern. There should be clear guidelines on the type of information to be reported to the Board on a regular basis as well as when certain information or development ought to be communicated immediately to the Board. The head of risk management function should have the authority and obligation to inform the Board promptly of any circumstance that may have a material effect on the risk management system of the licensee.
6. RISK IDENTIFICATION, CONTROL AND MONITORING
Types of Risk and Risk Mitigation Techniques
The following are some of the main risks associated with securities transactions. Best practices for mitigating each of these risks are also described. Best practices for mitigating risk apply where a licensee through its manager or representative is entering into a securities transaction or where external investment managers have been delegated authority to enter into securities transactions on behalf of the licensee. Before delegating authority to an external investment manager to enter into a derivative transaction, the licensee should exercise appropriate due diligence to ensure that the external investment manager has established best practices for risk mitigation.
The sophistication of the approach to mitigating risk should match the investment types, use of securities and the complexity of the transactions entered into. The best practices for risk mitigation described below under the various risk categories should be considered by the licensee and documented in the licensee’s risk management framework, as appropriate.
7. Market Risk
Market risk is the risk of financial loss arising from adverse changes in the market value (price) of the reference asset or instrument that underlies the securities transaction. Market risk can be influenced by many factors, including movements in interest rates, credit spreads, equity prices, exchange rates or commodity prices. Licensee should pay particular attention to derivative transactions that involve the use of leverage, as these transactions can increase market risk by magnifying losses.
Mitigating Market Risk
To manage market risk, Licensees should consider the following:
Monitoring Market Risk and Leverage
Securities transactions can expose investment plans to market risk from a range of sources, and the amount of exposure can greatly exceed the plan’s initial investment. Market risk can be increased due to the significant leverage effect of certain securities. For example, a minor fluctuation in the value of the underlying interest can potentially cause large fluctuations in the value of a derivative. The value of a derivative that has a leverage effect can, therefore, be highly volatile.
Licensees should ensure that any securities transactions that involve the use of leverage are understood and closely monitored and managed in order to avoid undue risk. Limits should be established for the amount of leverage that the licensee may obtain through securities transactions that are consistent with maximum exposures authorized by the Licensee’s risk management framework. When establishing limits on the use of leverage, licensee should take into account the company’s overall exposure from all of the leveraged investment strategies that the licensee has entered into. Setting limits would allow the licensee to assess the maximum financial loss in the most extreme market conditions. These limits should be clearly understood by all parties who are authorized to enter into derivative transactions on behalf of the plan. Plan administrators should carefully consider the use of leverage when using derivatives since losses can be greater than the money put into these instruments.
8. Counterparty Credit Risk
Counterparty credit risk is the risk of loss due to a counterparty’s unwillingness or inability to pay its contractual obligations under a contract. When a licensee enters into a non-centrally cleared OTC transaction, the licensee takes on the risk that their counterparty will default, causing the loss of market exposure or hedge provided by the investment transaction and potentially the loss of any unrealized gain from open financial investment contracts. Prudent management of counterparty credit risk can help minimize the risk of loss in the event of a counterparty default.
Mitigating Counterparty Credit Risk
To manage counterparty credit risk, the licensee should consider the following:
Counterparty credit risk can be managed through appropriate measurement of exposures, ongoing monitoring, timely evaluations of counterparties, and sound operating procedures. Before entering into a non-centrally cleared OTC securities contract, the licensee should conduct a comprehensive credit assessment of each of its proposed counterparties. Credit limits should be established for each counterparty, taking into account factors such as the creditworthiness of the proposed counterparty and whether collateral arrangements will be in place.
9. Liquidity Risk
Licensees who use derivatives are faced with two types of liquidity risk:
- Market liquidity risk : the risk that the licensee may not be able to exit or offset a derivatives position quickly or at a reasonable price. This inability may be due to inadequate market depth or stressed market conditions.
- Funding liquidity risk : the risk that the licensee may not be able to meet the future cash flow obligations from its derivative transactions such as meeting margin calls. Whether the derivatives are exchange traded or OTC derivatives, changes in the mark-to-market value of the derivative may result in the receipt of collateral or the need to post collateral on a daily basis. Licensee will therefore need to ensure that a sufficient supply of liquid, eligible collateral instruments is on hand to satisfy potential margin or collateral calls and that the licensee has the required operational and management capabilities to manage these transactions.
Mitigating Liquidity Risk
The licensee’s risk management framework should address the processes and procedures by which liquidity risk is managed. These processes and procedures should include the following:
· Prior to entering into a securities transaction, considering the market depth of the security transaction
· Monitoring market depth for securities transactions on an ongoing basis
· Ensuring that when collateral is pledged, the Licensees liquidity is not compromised and the pension fund’s overall risk profile is not adversely affected
· Ensuring that sufficient cash reserves and cash equivalent instruments are maintained by the licensee to meet potential collateral demands.
10. Operational Risk
Operational risk is the risk of loss resulting from the actions of people, inadequate or failed internal processes and systems, or from external events. This is a particular risk in securities activities because of the complex and rapidly evolving nature of some financial or securities strategies. Operational risk also includes legal risk. Legal risk is the risk that a security or financial contract will not be legally enforceable. A number of factors contribute to legal risk, including the following:
· The legal capacity and authority of a counterparty to enter into a securities or financial contract
· The securities or financial contract documentation being deficient or unenforceable
· The securities or financial transaction not being in compliance with regulatory requirements.
Mitigating Operational Risk
The controls in place to manage operational risk must be commensurate with the scale and complexity of the financial activity being undertaken. Before entering into a securities transaction, a licensee should ensure that there are processes and procedures in place that demonstrate the following:
· That systems can support, and operational capacity can accommodate, the types of financial or securities transactions that the plan administrator is authorized to engage in;
· That all relevant details of securities or financial transactions are documented;
· That there is sufficient staff with the expertise to support the volume and types of complex securities transactions that the licensee may enter into;
· That staff who are involved with making decisions regarding the use of securities products such as derivatives will be provided with on-going education;
· That the methods for valuing positions are appropriate and the assumptions underlying valuation methods are reasonable.
11. Legal Due Diligence
Prior to entering into a financial transaction, Licensee licensee should satisfy itself that the counterparty to the transaction has the regulatory and legal authority to enter into the transaction. A Licensee should also be satisfied that the terms of the transaction are adequately documented and legally enforceable. This is especially important with respect to provisions concerning the timing of the termination of outstanding transactions and the calculation of settlement amounts payable to or between parties upon the termination of the transaction. In order to promote legal certainty, a licensee should agree in writing to all material terms governing their trading relationship with their counterparty prior to or at the time of execution of a transaction.
12. Regulatory Compliance
A licensee should be aware that they and/or their counterparties may be subject to specific regulatory requirements for registering, central clearing, risk mitigation and trade reporting if they transact in securities;
Given the global nature of securities markets, Licensees should have procedures for identifying, communicating, managing and mitigating regulatory compliance risk. Licensees should also maintain knowledge of the regulatory requirements that apply to their securities activities, for all relevant jurisdictions.
13. Conducting Stress Testing
Licensees should, as appropriate, conduct stress testing of the securities or financial investments transactions under various market conditions and scenarios. Licensees should incorporate within the stress testing procedures the likelihood of adverse events affecting investment exposures (including adverse market movements, heightened counterparty credit or liquidity risks, or other possible events) to ensure that the licensee is aware of potential losses that the entity is exposed to from its financial transactions.
Stress testing helps to identify how the investment portfolio and liabilities respond to shifts in relevant economic variables or risk parameters. The sophistication of Licensee’s stress testing should be proportionate with the size and complexity of the investment activities.
14. Best Practices
The prudent use of securities and financial instruments has the potential to enhance investment returns and reduce risks. If not used properly, however, securities can lead to substantial losses. In order to use these instruments effectively, Licensees must understand how securities or financial instruments can alter the risk and return profile of the investment plan and investment fund, and have a sound risk management framework to prevent unintended consequences.
Each entity has considerable choice regarding how they monitor and manage risk. At the same time, derivative strategies and investment portfolio compositions have become increasingly complex – which in turn requires more sophisticated risk management policies and procedures. This makes it even more important for Licensees to understand, monitor and manage their risk exposures. As risk management practices for securities or financial instruments are constantly evolving, VFSC expects each Licensee to remain current with best practices and to adopt such practices as applicable.
Risks involved in trading and custody of digital assets
This Digital Asset Risk Document is separate from and in addition to the disclosure of risk factors by issuers, distributors, counterparties or other persons and financial services providers involved in the issuance, distribution, trading and other transactions relating to Digital Assets, as may in particular be contained in prospectuses, key information documents, white papers, fact sheets and other information sheets and which describe in more detail the risks associated with a particular Digital Asset or category of Digital Asset.
This document does not constitute nor purport to constitute exhaustive disclosure of all relevant risks or other relevant aspects in connection with Digital Assets or transactions in such assets. It is a guide only for the regulatory framework to be put in place and ascertain risk factors of the products and services in the financial services sector and non-bank related activities.
2. Reasons for investments in Digital Assets
The reasons for investing in Digital Assets are unique to each client. However, the following reasons can be cited among others:
- Diversification: some Digital Assets, such as payment tokens, can show low correlation with traditional asset classes, and, as such, can bring diversification benefits in an overall portfolio context.
- High risk / high return profile.
- Belief in distributed ledger technologies: there is a consensus that distributed ledger technologies have a similar potential to that of the Internet 20 years ago.
- Loss of confidence in the traditional monetary system.
- Betting on the future: the future of Digital Assets is still largely unknown.
3. Key characteristics
Before investing, the Client should know some key elements related to Digital Assets. The elements presented below are only a part of them.
a. Distributed Ledger Technology
Distributed Ledger Technologies (″DLT″) refers to technologies that allow individual participants (nodes) within a system to propose, validate, and store operations in a synchronised dataset (″Ledger″) that is distributed across all nodes in the system securely. It typically exhibits the following characteristics:
- Embedded consensus algorithm
A distributed ledger includes a ″consensus algorithm″ that allows to add and replicate new entries in the database without any trusted third-party validation. In other words, none of the computers making the network needs to be trusted and the consensus algorithm makes sure that all the data entered is accurate.
- Decentralised infrastructure
A distributed ledger has no single point of failure, which means that if multiple computers participating in the network disappear, the network will continue to function if there is one computer.
- Decentralised governance
A distributed ledger has no single entity controlling the network or making the rules for the network. The rules are defined in the ″code″ running the distributed ledger.
- Logically centralised
A distributed ledger is logically centralised which means that every node sees the same state. It can be seen as a one global computer or thousands of dispersed computers that all see the same state.
Blockchain is a possible form of how data can be stored in such a system: operations (e.g., transactions) are organised in blocks, and a block is attached to the last previously created block. This allows operations and data to be stored without allowing them to be subsequently modified.
There are two main types of distributed ledgers:
- Permissionless or public distributed ledgers
Anybody, incl. private individuals, can participate in the network by installing the relevant version of the software. Examples are Bitcoin, Ethereum, Ripple etc.
- Permissioned or private distributed ledgers
Only people invited or accepted to join the network can do so – they need the permission of a trusted authority. Examples are hyperledger, R3 corda or other enterprise blockchain services.
b. Digital Assets
Digital Assets are digital representations of any types of assets, securities, rights, currencies or units of accounts registered on a distributed ledger such as a blockchain. They include but are not limited to cryptocurrencies such as Bitcoin, Ethereum or Litecoin. They can also include securities such as classical shares or bonds registered on a distributed ledger (i.e. “tokenised securities” registered on a “securities ledger”).
From a regulatory perspective, regarding the regulatory framework for initial coin offerings (“ICOs”) Digital Assets can be classified in four categories: payment tokens, utility tokens, asset/security tokens and hybrid tokens.
For the purposes of this paper, they will not be discussed at length as at present regulation is not allowing. In that been said,the individual token classifications are not mutually exclusive. Asset/security and utility tokens can also be classified as payment tokens (referred to as hybrid tokens). In these cases, the requirements are cumulative; in other words, the tokens are deemed to be both securities and means of payment.
4. How to invest in Digital Assets?
Investors can buy themselves digital assets (for example through websites, crypto-currency exchanges, trading applications) or through selected banks and/or brokers.
5. Main risks
The following list highlights some of the main risks linked to digital assets, without being exhaustive:
- The value of Digital Assets is subject to high volatility, i.e., the price of Digital Assets may rapidly go down as well as up, on any given day, including on an intraday basis. Investments in Digital Assets are deemed highly speculative investments. The risk of substantial or total loss in purchasing or selling Digital Assets exists.
- Market prices may be very volatile and sometimes differ materially from the fair value of a Company or an investment opportunity in the case of illiquid/low liquidity assets.
- While the volatility of Digital Assets is high and varies significantly, changes and advances in technology, fraud, theft and cyber-attacks and regulatory changes, among others, may increase volatility further – elevating the potential of investment gains and losses. In addition, Digital Assets lack the historical track record of other currencies or commodities such as gold that could guide if current levels of volatility are typical or atypical.
Valuation risk Setting a value to Digital Assets can be difficult depending on which category is chosen and, in some cases, there may not be any proven valuation methods:
- Payment tokens: the price of payment tokens depends on the supply and demand dynamics on a global level and does not rely on traditional valuation techniques used for securities (e.g., discounted cash flows), which can make it hard to provide an objective value to payment tokens.
- Utility tokens: utility tokens represent a right to consume a service or a product in the future. There are no proven valuation methods. Some of the utility tokens that are being issued have no intrinsic value other than the possibility to use them to access or use a service/product that is to be developed by the issuer. There is no guarantee that the services/products will be successfully developed. At the time of writing, the Company is not planning to provide access to utility tokens.
- Asset/security tokens: discounted cash-flow analysis + liquidity or illiquidity premium depending on i) maturity of company ii) trading venues. Asset tokens bear risks related to the underlying Company or asset in particular liquidity as many of the Companies raising funds are private Companies not listed in a stock market. See the Swiss Bankers Association standardized information booklet for further details on liquidity risks. Digital Assets only exist virtually on a computer network and have no physical equivalent. Establishing a value for Digital Assets is difficult as the value depends on the expectation and trust that Digital Assets can be used for future payment transactions (see valuation section above). Among others, persistent high volatility, changes and advances in technology, fraud, theft and cyber-attacks and regulatory changes may prevent the establishment of Digital Assets potentially rendering them worthless.
- The market capitalisation of the digital assets industry is mainly led by Bitcoin, which represents more than 50% of the total market capitalisation. A significant position in any digital asset other than Bitcoin (and, depending on the case, including Bitcoin) may require several days or weeks to be unwinded with a possible negative effect on the price of the Digital Asset.
- The market for the relevant Digital Assets may experience periods of decreased liquidity or even periods of illiquidity, hence under certain market conditions, it may be difficult or impossible to liquidate a position.
- There is no guarantee that a private company will conduct an initial public offering or provide an alternative exit strategy for your invested capital.
- Technology relating to Digital Assets is still at an early stage and best practices are still being determined and implemented. Digital Assets technology is likely to undergo significant changes in the future. Technological advances in cryptography, code breaking or quantum computing etc, may pose a risk to the security of Digital Assets. In addition, alternative technologies could be established, making some Digital Assets less relevant or obsolete.
- The functioning of Digital Assets relies on open-source software
(Non permissioned distributed ledger). Developers may introduce weaknesses and programming errors into the open-source software or may stop developing the open-source software (potentially at a critical stage where a security update is required), keeping Digital Assets exposed to weaknesses, programming errors and threats of fraud, theft and cyber-attacks (see also ″Fraud, theft and cyber-attack risk″ below).
Some Digital Assets networks have experienced a surge in the number of transactions over the last few years. An increasing number of transactions coupled with the inability to implement changes to Digital Assets technology may result in a slower processing time of Digital Assets transactions (potentially days to verify a transaction) and/or a substantial increase in Digital Assets transaction fees paid to so called ″miners″ (when relevant) for facilitating the processing of transactions.
- Base layer transactions on a DLT or other distributed ledger are irreversible and final, and the history of transactions is computationally impractical to modify. Consequently, if the Client initiates or requests a transfer of Digital Assets using an incorrect distributed ledger address, it will be impossible to identify the recipient and reverse the defective transaction.
- The Client should be aware that any purchase and sale of Digital Assets may be stored in a public distributed ledger and may therefore be visible to the public. Such decentralised public ledger is neither a property of nor under control of Taurus. Information available on the decentralised public ledger may be exploited or misused in unforeseen ways.
Hard fork risk
- Since there is no central body (e.g. a central bank or a government agency) overseeing the development of technology relating to Digital Assets, the functioning of Digital Assets, as well as further improvements of such functioning (e.g. ability to increase number of transactions, reduce processing time, reduce transaction fees, implement security updates), relies on the collaboration and consensus of various stakeholders, among others, developers enhancing the open-source software related to a Digital Asset or so called ″miners″ facilitating the processing of transactions. Any disagreement among stakeholders may result in a split of the Digital Asset network into two or more incompatible versions (such an event called a ″hard fork″).
- As a result, trading venues on which Digital Assets are traded may suspend (temporarily or indefinitely) the ability to trade a particular version of a Digital Asset. Consequently, the Investors in the Digital Asset may (i) not get exposure (indefinitely) to all versions following a hard fork and forego the value of one or more versions, or (ii) may get exposure to a version on a delayed basis (in which case that version might have lost a significant part or all of its value).
- In addition, hard forks may result in instability of a Digital Asset version and hard forks or the threat of a potential hard fork may prevent the establishment of the corresponding Digital Asset as an accepted long-term medium of exchange.
Fraud, theft and cyber-attack risk
- The particular characteristics of Digital Assets (e.g., only exist virtually on a computer network, transactions in Digital Assets are not reversible and are done anonymously) make it an attractive target for fraud, theft and cyber-attacks. Various tactics have been developed (or weaknesses identified) to steal Digital Assets or disrupt Digital Assets technology (to name a few: ″51% attack″ where an adversary may take control over Digital Assets technology by providing 51% of the computer power in the Digital Assets network or ″denial of service attack″ where an adversary attempts to make Digital Assets network resources unavailable by overwhelming it with service requests. This may result in significant waiting periods, network congestion and delays during which the Client may be precluded from disposing over the relevant Digital Assets while their value may fluctuate significantly, or which may otherwise result in loss or damages).
- Investors in any particular Digital Asset are directly exposed to fraud, theft and cyber-attacks: (i) Any high profile losses as a result of such events (e.g. bankruptcy of the then largest Digital Assets exchange Mt. Gox in February 2014) may raise scepticism over the long-term future of Digital Assets and may prevent the establishment of Digital Assets as an accepted long-term medium of exchange and may increase the volatility and illiquidity of Digital Assets; (ii) any loss resulting from fraud, theft and cyber-attacks relating to hedging party(ies) of the Issuer will be borne by the Investors.
- Digital Assets are subject to a higher risk than usual of market abuse, market manipulation and insider dealing by market participants, due to a lack of regulation, supervision, market control and/or liquidity.
Legal, tax and regulatory risks
- Risk of non-compliance or change of legal and regulatory framework: The legal, tax and regulatory framework governing Digital Assets in and outside of Switzerland is far from settled and continuously evolving. Existing laws and regulations, changes to the legal, tax and regulatory framework and related measures by regulators or other governmental authorities may affect the compliant issuance, domestic and international tradability and transferability or convertibility of the Client’s Digital Assets and may potentially result in a full or partial loss of units or reduction of value (including reduction to zero) thereof.
- Any forthcoming regulatory actions may result in the illegality of some Digital Assets or the implementation of controls relating to the trading (and therefore liquidity) of Digital Assets. In addition, control mechanisms may increase Digital Assets transaction fees significantly (and therefore affecting the bid/offer spread of the Product). Investors should ensure that investing in any Digital Asset complies with their local regulation.
- As of today, Digital Assets do not have a function as and/or the full characteristics of a legal tender (even if some Digital Assets may be accepted for payment in certain countries or jurisdictions by public institutions) and are currently not supervised by any authority or institution such as a central bank.
- Consequently, there is no authority or institution which may intervene in the Digital Assets market to stabilize the value of Digital Assets or prevent, mitigate or counter-attack irrational price developments of Digital Assets.
- Sending Digital Assets to an incorrect and/or a wrong distributed ledger address leads to a total and irremediable loss of funds. Once a transaction is executed, it is impossible to cancel or reverse this transaction. Therefore, users shall always check that a destination distributed ledger address is correct before to confirm a transaction.
Credit & counterparty risk
- In the case of tokenized securities, the risk of default or bankruptcy of the underlying issuer is material in line with private equity and/or private debt investments.
Specific risks related to the custody of Digital Assets Among the digital assets class, the following points have to be outlined when it comes to custody of digital assets:
- Owning a digital asset is equivalent to owning the private key (equivalent to a secret pin) that gives you access to it.
- Losing this private key is equivalent to ever accessing those assets again. There is no central authority to contact to regenerate that key.
- Having this private key stolen is equivalent to giving full access to the assets to the malicious person/entity.
It is therefore of utmost importance that client’s back-up these private keys and store them securely.
In summary, it is highly recommended to only invest in Digital Assets the amounts the Client can afford to lose.
6. Adequacy of investment in digital assets with financial objectives
Investors willing to have exposure to digital assets should ensure their profile matches with the below characteristics of the asset class. Investors should seek advice from their investment advisors if they have any questions on the appropriateness of their profiles with the investment in digital assets, as well as to enhance their successful selection of opportunities within the asset class, according to their financial objectives and their risk tolerance.
Private and Professional
Knowledge and experience
Intermediate and Expert
Ability to bear losses
Total loss of capital possible
Not recommended to clients with no loss of capital possible.
Total default or bankruptcy of Issuers possible.
Risk reward profile
General asset accumulation
Hedge against systemic risk
Short term (for speculation purpose only)
Medium to long term