ASIC Tightens Grip on Crypto Custody in Major Rule Overhaul

The Australian Securities and Investments Commission (ASIC) has released updated guidelines for financial services firms that hold client assets, introducing new requirements for cryptocurrency custody and strengthening oversight of asset holders.ASIC Updates Asset Holding GuidelinesThe revamped Regulatory Guide 133 (RG 133), published today (Tuesday), marks the first major update since June 2022 and expands the scope of asset-holding requirements to address emerging risks in digital assets while reinforcing traditional custody standards."Asset holders must establish and maintain business continuity arrangements appropriate to their operations' nature, scale and complexity," states the new guidance, which takes effect immediately.Key Changes:Enhanced information security controls for crypto-asset custodiansStricter risk management processes for digital asset custodyUpdated financial requirements for asset holdersExpanded oversight of sub-custodial arrangementsThe guidelines apply to a broad spectrum of financial services providers, including registered scheme operators, licensed custodians, managed discretionary account providers, and operators of investor-directed portfolio services.At the end of September, Australia's regulator gained new powers to oversee financial market infrastructure. These reforms aim to enhance the stability and efficiency of the country's financial system. The Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Bill 2024, which received Royal Assent on September 17, introduces a series of measures designed to strengthen oversight of key entities that facilitate trading in Australia's capital markets.Regulator Adds Crypto Custody StandardsFor cryptocurrency custody, ASIC now requires providers to implement robust security protocols and maintain comprehensive risk management frameworks when dealing with crypto exchanges. This includes maintaining cold storage systems with limited connectivity to computing networks, implementing strong physical security for hardware devices storing private keys, and establishing geographically distributed backup locations for key recovery systems. Transaction security requirements mandate multi-signature or sharding-based signing approaches over single private key systems. Asset holders must implement permissioning processes that prevent single-party control over transactions. For products with limited interaction needs, the guidance recommends whitelisting predefined addresses to enhance security.For exchange due diligence, asset holders must conduct thorough evaluations of any crypto exchanges used. These exchanges must be registered with AUSTRAC or equivalent foreign authorities and implement risk-based systems under AML/CTF Act requirements.This is another crypto regulatory update from ASIC, after the market watchdog released a consultation paper earlier this month. The paper highlighted 13 practical examples for determining cryptocurrency services and ASIC is seeking public feedback on its proposals. This article was written by Damian Chmiel at www.financemagnates.com.