Entire Section

  • COB 14 COB 14 Additional Requirements for Firms Providing Financial Services Relating to Investment Tokens

    • COB 14.1 COB 14.1 Technology and governance requirements for Operating a Facility for Investment Tokens

      • COB 14.1.1 COB 14.1.1

        Without limiting the generality of the technology resources requirements in COB section 9.5, an Authorised Firm Operating a Facility for Investment Tokens must:

        (a) ensure that any DLT application used by the facility operates on the basis of ‘permissioned’ access, so that it allows the operator to have and maintain adequate control over the Persons who are permitted to access and update records held on that DLT application;
        (b) establish and maintain adequate measures to ensure that the DLT application used by the facility, and the associated rules and protocols, contain:
        (i) clear criteria governing Persons who are permitted to access and update records for the purposes of trading or clearing Investment Tokens on the facility, including criteria about the integrity, credentials and competencies appropriate to the roles played by such persons;
        (ii) measures to address risks, including to network security and network compatibility, that may arise through systems used by Persons permitted to update the records on the DLT application; and
        (iii) processes to ensure that the Authorised Firm undertakes sufficient due diligence and adequate monitoring of ongoing compliance, relating to the matters referred to in (i) and (ii);
        (3) ensure any DLT application used by its facility is fit for purpose; and
        (4) have regard to industry best practices in developing its technology design and technology governance relating to DLT that is used by the facility.

         

        Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

        • COB 14.1.1 Guidance

          1. To be fit for purpose, the technology design of the DLT application used by an Authorised Firm Operating a Facility for Investment Tokens should be able to address how the rights and obligations relating to the Investment Tokens traded on that facility are properly managed and are capable of being exercised or performed. For example, where a Security Token confers rights and obligations substantially similar to those conferred by a Share in a company, the DLT application would generally need to enable the management and exercise of the shareholder’s rights. This may, for example, include the right to receive notice of, and vote in, shareholder meetings, receive any declared dividends and participate in the assets of the company in a winding up.
          2. To ensure the technology governance of any DLT application used by its facility is fit for purpose, an Authorised Firm should, as a minimum, have regard to the following:
          a. careful maintenance and development of the relevant systems and architecture in terms of its code version control, implementation of updates, issue resolution, and regular internal and third party testing;
          b. security measures and procedures for the safe storage and transmission of data in accordance with agreed protocols;
          c. procedures to address changes in the protocol which result in the splitting of the underlying distributed ledger into two or more separate ledgers (often referred to as a ‘fork’). These procedures should be effective whether or not the new protocol is backwards compatible with the previous version (soft fork), or not (hard fork), and should address access to information where such a fork is created;
          d. procedures to deal with system outages, whether planned or not;
          e. decision-making protocols and accountability for decisions;
          f. procedures for establishing and managing interfaces with providers of Digital Wallets; and
          g. whether the protocols, smart contracts and other inbuilt features of the DLT application meet at least a minimum acceptable level of reliability and safety requirements, including to deal with a cyber or hacking attack, and determine how any resulting disruptions would be resolved.
          3. Some parts of trading Investment Tokens, for example, order matching, may take place ‘off-chain’ (i.e. not using DLT). In those circumstances, the operator should still maintain adequate control over Persons who are undertaking those activities, as they are agents or delegates of the operator.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

    • COB 14.2 COB 14.2 Operating a Facility for Investment Tokens which permits direct access

      • Application

        • COB 14.2.1 COB 14.2.1

          This section applies to an ATS Operator that has Direct Access Members.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

          • COB 14.2.1 Guidance

            1. A Direct Access Member is defined in GLO as a Person that an ATS Operator has admitted as a member under COB Rule 9.3.1(1)(e).
            2. A Person will only be admitted as a Direct Access Member where that Person does not meet any of the criteria at COB 9.3.1(1)(a)-(d), although a Person admitted as a member under any of those criteria may also trade Investment Tokens. A Direct Access Member may be an individual or a Body Corporate, but will not, for example, be an Authorised Firm or an institutional investor whose main activity is to invest in financial instruments.
            3. See also the requirements relating to Direct Access Members in COB Rule 9.3.1(4).

             

            Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

      • Requirements

        • COB 14.2.2

          An ATS Operator must ensure that:

          (a) it treats each Direct Access Member as its Client;
          (b) its Operating Rules clearly set out:
          (i) the duties owed by the ATS Operator to the Direct Access Member and how the ATS Operator is held accountable for any failure to fulfil those duties; and
          (ii) the duties owed by the Direct Access Member to the ATS Operator and how the member is held accountable for any failure to fulfil those duties;
          (c) appropriate investor redress mechanisms are available, in accordance with GEN chapter 9, and disclosed to each member permitted to trade Investment Tokens on its facility; and
          (d) its facility contains a prominent disclosure of the risks associated with the use of DLT for trading and clearing Investments, particularly those relating to Digital Wallets and the susceptibility of private cryptographic keys to misappropriation.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

        • COB 14.2.3 COB 14.2.3

          (1) Without limiting the generality of the systems and controls obligations of the ATS Operator, an ATS Operator must have in place adequate systems and controls to address market integrity, AML, CTF or investor protection risks in permitting a Direct Access Member to trade on its facility, including procedures to:
          (a) identify the ultimate beneficial owner of a Direct Access Member, where such a member is a body corporate;
          (b) ensure that appropriate customer due diligence sufficient to address AML and CTF risks has been conducted on each Direct Access Member, prior to permitting that member to trade on its facility;
          (c) detect and address market manipulation and abuse;
          (d) ensure that there is adequate disclosure relating to the Investment Tokens that are traded on the facility, including through prospectus and on-going disclosure under MKT chapters 2, 4 and 6.
          (2) An ATS Operator must have adequate controls and procedures to ensure that trading in Investment Tokens by Direct Access Members does not pose any risks to the orderly and efficient functioning of the facility’s trading system, including controls and procedures to:
          (a) mitigate counterparty risks that may arise from defaults by Direct Access Members through adequate collateral management measures, such as margin requirements, based on the settlement cycle adopted by the ATS Operator;
          (b) identify and distinguish orders that are placed by Direct Access Members, and, if necessary, enable the ATS Operator to stop orders of, or trading by, such members;
          (c) prevent Direct Access Members from allowing access to other persons to trade on the trading facility; and
          (d) ensure that Direct Access Members fully comply with the Operating Rules of the facility and promptly address any gaps and deficiencies that are identified.
          (3) An ATS Operator must have adequate resources and systems to carry out front-line monitoring of the trading activities of Direct Access Members.
          (4) An ATS Operator must ensure that, to the extent that any of the systems and controls referred to in (1) are embedded within, or otherwise facilitated through DLT, they are included within the scope of the annual audit and the written report required under COB Rule 14.5.1.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

          • COB 14.2.3 Guidance

            1. To satisfy the DFSA of the matters referred to in COB Rule 14.2.3(1), an ATS Operator should, as a minimum, be able to demonstrate that it has effective procedures built into its DLT or similar technology application being used that enable:
            (a) the clear identification of each Direct Access Member accessing its facility to trade; and
            (b) the monitoring of bid and offer prices and volatility for any indications of market manipulation or abuse.

             

            Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

    • COB 14.3 COB 14.3 Requirements for Providing Custody of Investment Tokens

      • Interpretation

        • COB 14.3.1

          In this section:

          (a) “Digital Wallet Service Provider” means an Authorised Firm Providing Custody of Investment Tokens by holding and controlling the public and private cryptographic keys relating to the Investment Tokens;
          (b) “Third Party Digital Wallet Service Provider” means:
          (i) a Digital Wallet Service Provider other than an ATS Operator Providing Custody of Investment Tokens traded on its facility; or
          (ii) a Person in another jurisdiction Providing Custody of Investment Tokens by holding and controlling the public and private cryptographic keys relating to the Investment Tokens, who is authorised and supervised for that activity by a Financial Services Regulator; and
          (c) “Self-Custody of Investment Tokens” means the holding and controlling of Investment Tokens by their owner, through the owner holding and controlling the public and private cryptographic keys relating to the Investment Tokens.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

      • Application

        • COB 14.3.2 COB 14.3.2

          This section applies to an Authorised Firm that is a Digital Wallet Service Provider.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

          • COB 14.3.2 Guidance

            1. An Investment Token is an Investment, as defined in GEN Rule A2.1.1. The Financial Service of Providing Custody, as defined in GEN Rule 2.13.1, therefore includes Providing Custody of an Investment Token, and a Person carrying on that Financial Service will require a Licence to do so.
            2. An Authorised Firm which is Providing Custody of Investment Tokens is, in addition to the requirements in this section, subject to other relevant requirements that apply to a firm Providing Custody of Investments. Other requirements include the Client Asset requirements in section COB section 6.11, the Client Investment requirements in COB section 6.13 and the Safe Custody Provisions in COB App 6.
            3. The Rules in this section will not apply to a Person providing a Digital Wallet to a Person who uses it for Self Custody of Investment Tokens, as the Security Tokens in that Digital Wallet are then held and controlled by that Person at their own risk.
            4. Private and public keys, which correspond to an electronic address, provide the mechanism to own and control Investment Tokens, (and other crypto assets). A private key is generated first, with the public key derived from the private key using a known one-way algorithm which varies across protocols. The corresponding electronic address, which is used to send and receive crypto assets, is a cryptographic hash (i.e. a shorter representation created through a processing algorithm) of the public key (which is a longer string of characters). It is the private key that grants the user the right to dispose of the crypto asset at a given address. Losing the private key often results in the loss of ability to transfer the crypto asset.

             

            Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

      • Requirements

        • COB 14.3.3 COB 14.3.3

          (1) A Digital Wallet Service Provider must ensure that:
          (a) any DLT application it uses in Providing Custody of Investment Tokens is resilient, reliable and compatible with any relevant facility on which the Investment Tokens are traded or cleared;
          (b) it is able to clearly identify and segregate Investment Tokens belonging to different Clients; and
          (c) it has in place appropriate procedures to enable it to confirm Client instructions and transactions, maintain appropriate records and data relating to those instructions and transactions and to conduct a reconciliation of those transactions at appropriate intervals.
          (2) A Digital Wallet Service Provider must ensure that, in developing and using DLT applications and other technology to Provide Custody of Investment Tokens:
          (a) the architecture of any Digital Wallet used adequately addresses compatibility issues and associated risks;
          (b) the technology used and its associated procedures have adequate security measures (including cyber security) to enable the safe storage and transmission of data relating to the Investment Tokens;
          (c) the security and integrity of cryptographic keys are maintained through the use of that technology, taking into account the password protection and methods of encryption used;
          (d) there are adequate measures to address any risks specific to the methods of usage and storage of cryptographic keys (or their equivalent) available under the DLT application used; and
          (e) the technology is compatible with the procedures and protocols built into the Operating Rules, or equivalent procedures and protocols on any facility on which the Investment Tokens are traded or cleared or both traded and cleared.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

          • COB 14.3.3 Guidance

            Where an Authorised Firm that is a Digital Wallet Service Provider delegates any function to a Third Party Digital Wallet Service Provider, it must ensure that the delegate fully complies with the requirements of COB Rule 14.3.3. The outsourcing and delegation requirements of GEN Rule 5.3.21 and 5.3.22 will also apply to the Authorised Firm in those circumstances.

             

            Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

        • COB 14.3.4 COB 14.3.4

          An ATS Operator that appoints a Third Party Digital Wallet Service Provider to Provide Custody of Investment Tokens traded on its facility, must ensure that the person is either:

          (a) an Authorised Firm appropriately authorised to be a Digital Wallet Service Provider; or
          (b) an entity that is regulated by a Financial Services Regulator to an equivalent level of regulation to that provided for under the DFSA regime for Providing Digital Wallet Services.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

          • COB 14.3.4 Guidance

            Where an ATS Operator appoints a non-DIFC firm regulated by a Financial Services Regulator, it must undertake sufficient due diligence to establish that the non-DIFC firm is subject to an equivalent level of regulation as under the DFSA regime in respect of that service.

             

            Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

        • COB 14.3.5

          A Digital Wallet Service Provider must ensure that the report required under COB Rule 14.5.1 includes confirmation as to whether it has complied with the requirements in COB Rule 14.3.3.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

    • COB 14.4 COB 14.4 Provision of key features document for Investment Tokens

      • Application

        • COB 14.4.1

          This section applies to an Authorised Firm which carries on any one or more of the following Financial Services in respect of Investment Tokens:

          (a) Dealing in Investments as Principal;
          (b) Dealing in Investments as Agent;
          (c) Arranging Deals in Investments;
          (d) Managing Assets;
          (e) Advising on Financial Products;
          (f) Providing Custody; or
          (g) Arranging Custody.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

        • COB 14.4.2

          (1) An Authorised Firm must not provide a Financial Service to which this section applies to a Person unless it has provided the Person with a key features document containing the information in (2).
          (2) The key features document must contain the following information relating to each Investment Token that is the subject of the Financial Services that the Authorised Firm will provide to the Person:
          (a) the risks associated with and essential characteristics of the Issuer (or other Person responsible for discharging the obligations associated with the rights conferred), and guarantor if any, of the Investment Token, including their assets, liabilities and financial position;
          (b) the risks associated with and essential characteristics of the Investment Token, including the rights and obligations conferred and the type or types of Investment which it constitutes;
          (c) whether the Investment Token is or will be admitted to trading and if so, the details relating to the admission, including details of the facility and whether the facility is within the DIFC;
          (d) whether the Client can directly access the trading facility, or whether access is only through an intermediary, and the process for accessing the facility;
          (e) risks associated with the use of DLT, particularly those relating to Digital Wallets and the susceptibility of private cryptographic keys to misappropriation;
          (f) whether the Client, the Authorised Firm or a third party is responsible for providing a Digital Wallet service in respect of the Investment Token, and any related risks (including at whose risk the Client’s Investment Tokens are held in the Digital Wallet, whether it is accessible online or stored offline, what happens if keys to the Digital Wallet are lost and what procedures can be followed in such an event);
          (g) how the Client may exercise any rights conferred by the Investment Tokens such as voting or participation in shareholder actions; and
          (h) any other information relevant to the particular Investment Token that would reasonably assist the Client to understand the product and technology better and to make informed decisions in respect of it.
          (3) The key features document must be provided in good time before the relevant Financial Service is provided to the Person, to enable that Person to make an informed decision about whether to use the relevant Financial Service.
          (4) The key features document does not need to be provided to a Person to whom the Authorised Firm has previously provided that information, if there has been no significant change since the information was previously provided.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

    • COB 14.5 COB 14.5 Technology audit reports

      • COB 14.5.1 COB 14.5.1

        (1) This Rule applies to an Authorised Firm that:
        (a) is Operating a Facility for Investment Tokens;
        (b) holds or controls Client Investments that include Investment Tokens;
        (c) relies on DLT or similar technology to carry on one or more of the Financial Services specified in COB Rule 14.4.1 relating to Investment Tokens; or
        (d) is Managing a Collective Investment Fund where:
        (i) Units of the Fund are Security Tokens; or
        (ii) 10% or more of the gross asset value of the Fund Property of the Fund consists of Investment Tokens.
        (2) The Authorised Firm must:
        (a) appoint a suitably qualified independent third party professional to:
        (i) carry out an annual audit of the Authorised Firm’s compliance with the technology resources and governance requirements that apply to it, including those specified in this chapter; and
        (ii) produce a written report which sets out the methodology and results of that annual audit, confirms whether the requirements referred to in (i) have been met and lists any recommendations or areas of concern;
        (b) submit to the DFSA a copy of the report referred to in (a)(ii) within 4 months of the Authorised Firm’s financial year end; and
        (c) be able to satisfy the DFSA that the independent third party professional appointed to carry out the annual audit has the relevant expertise to do so, and that the Authorised Firm has done proper due diligence to satisfy itself of that fact.

         

        Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

        • COB 14.5.1 Guidance

          1. An Authorised Firm may appoint an Auditor to carry out the functions specified in COB Rule 14.5.1(2)(a), provided it is satisfied that the Auditor has the relevant expertise.
          2. Credentials that may indicate an independent third party professional is suitably qualified under COB Rule 14.5.1(2)(a):
          a. designation as a Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM) by the Information Systems Audit and Control Association (ISACA);
          b. designation as a Certified Information Systems Security Professional (CISSP) by the International Information System Security Certification Consortium (ISC); or
          c. accreditation by a recognised and reputable body to certify compliance with relevant ISO/IEC 27000 series standards.

           

          Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]