Skip to main content

Governance

  1. 3.115Institutions should establish an approved and documented governance framework for effective decision-making and proper management and control of risks arising from the use of DLT. The governance framework should include the following, as may be relevant depending on the type of DLT:
    1. a.Cover the following elements integral to the functioning of a DLT Application:
    2. b.Ownership model of the DLT platform and the Nodes running on it;
    3. c.The model used to operate and manage the distributed ledger (e.g. a consortium, a single Institution);
    4. d.Rules to govern the ledger(s) including participant and validator rules and restrictions;
    5. e.Approval processes and procedures to grant access to create, read, update or deactivate Data stored on the distributed ledger(s);
    6. f.Managing public and private keys;
    7. g.Consensus protocol; and
    8. h.Off-chain procedures (if any) including parameters for the validity of an off-chain activity and any standards or requirements for off-chains systems are defined and complied with.
    9. i.Define the roles and responsibilities of the key groups involved with respect to the design, development, and operation of the distributed ledger(s). Key groups may include:
      1.  i.Core group who will design, govern and operate the distributed ledger(s);
      2.  ii.Qualified users of the distributed ledger(s), such as other Institutions and miners;
      3. iii.Participants involved in the distributed ledger(s), such as owners of cryptocurrency etc.; and
      4. iv.Third Parties including Outsourcing Service Providers such as custodians or software developers involved in delivering the service.
  2. 3.116Reviews of the DLT Application should be conducted with oversight from Senior Management, prior to launch and thereafter on an on-going basis to ensure its reliability and security.
  3. 3.117Institutions should establish clear and unambiguous governing rules for participants of the distributed ledger(s) for onboarding, on-going operations and dispute resolution.
  4. 3.118When Outsourcing to an Outsourcing Service Provider, Institutions should ensure that access to information is adequately controlled, monitored, reviewed, and audited by the Institution’s internal control functions, and regulators, or persons employed by them, including supervisory reviews by the respective Supervisory Authority.
  5. 3.119Institutions should ensure that their DLT Applications maintain appropriate evidence and records to enable the Institution’s internal control functions, external auditors, regulators, and other authorities to conduct their audits and reviews. Accordingly, Institutions should:
    1. a.Record and store the additional evidence and information to provide auditors with a complete representation of processes, internal controls, financial statements, etc., and for proper accounting treatment of the transaction;
    2. b.Ensure that a log of records of the DLT Application is fully available and accessible to the relevant parties to audit and review;
    3. c.In the event that the DLT is in the form of a blockchain, ensure that off-chain activities, rules and protocols associated with and any link to on-chain activities are recorded and stored; and
    4. d.Ensure that the DLT code and subsequent updates are recorded and stored.