Entire Section

  • COB 14.1 COB 14.1 Technology and governance requirements for Operating a Facility for Investment Tokens

    • COB 14.1.1 COB 14.1.1

      Without limiting the generality of the technology resources requirements in COB section 9.5, an Authorised Firm Operating a Facility for Investment Tokens must:

      (a) ensure that any DLT application used by the facility operates on the basis of ‘permissioned’ access, so that it allows the operator to have and maintain adequate control over the Persons who are permitted to access and update records held on that DLT application;
      (b) establish and maintain adequate measures to ensure that the DLT application used by the facility, and the associated rules and protocols, contain:
      (i) clear criteria governing Persons who are permitted to access and update records for the purposes of trading or clearing Investment Tokens on the facility, including criteria about the integrity, credentials and competencies appropriate to the roles played by such persons;
      (ii) measures to address risks, including to network security and network compatibility, that may arise through systems used by Persons permitted to update the records on the DLT application; and
      (iii) processes to ensure that the Authorised Firm undertakes sufficient due diligence and adequate monitoring of ongoing compliance, relating to the matters referred to in (i) and (ii);
      (3) ensure any DLT application used by its facility is fit for purpose; and
      (4) have regard to industry best practices in developing its technology design and technology governance relating to DLT that is used by the facility.


      Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

      • COB 14.1.1 Guidance

        1. To be fit for purpose, the technology design of the DLT application used by an Authorised Firm Operating a Facility for Investment Tokens should be able to address how the rights and obligations relating to the Investment Tokens traded on that facility are properly managed and are capable of being exercised or performed. For example, where a Security Token confers rights and obligations substantially similar to those conferred by a Share in a company, the DLT application would generally need to enable the management and exercise of the shareholder’s rights. This may, for example, include the right to receive notice of, and vote in, shareholder meetings, receive any declared dividends and participate in the assets of the company in a winding up.
        2. To ensure the technology governance of any DLT application used by its facility is fit for purpose, an Authorised Firm should, as a minimum, have regard to the following:
        a. careful maintenance and development of the relevant systems and architecture in terms of its code version control, implementation of updates, issue resolution, and regular internal and third party testing;
        b. security measures and procedures for the safe storage and transmission of data in accordance with agreed protocols;
        c. procedures to address changes in the protocol which result in the splitting of the underlying distributed ledger into two or more separate ledgers (often referred to as a ‘fork’). These procedures should be effective whether or not the new protocol is backwards compatible with the previous version (soft fork), or not (hard fork), and should address access to information where such a fork is created;
        d. procedures to deal with system outages, whether planned or not;
        e. decision-making protocols and accountability for decisions;
        f. procedures for establishing and managing interfaces with providers of Digital Wallets; and
        g. whether the protocols, smart contracts and other inbuilt features of the DLT application meet at least a minimum acceptable level of reliability and safety requirements, including to deal with a cyber or hacking attack, and determine how any resulting disruptions would be resolved.
        3. Some parts of trading Investment Tokens, for example, order matching, may take place ‘off-chain’ (i.e. not using DLT). In those circumstances, the operator should still maintain adequate control over Persons who are undertaking those activities, as they are agents or delegates of the operator.


        Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]