The recent collapse of FTX and alarming allegations of mishandling of client assets in that company have been viewed with concern by Blockchain Australia and our members. The collapse of FTX exchange is likely to lead to significant financial impacts on many users, many of which are Australian.
Blockchain Australia stands with our members in condemning in the strongest possible terms the misuse of client assets and lack of transparency around this recent collapse of a centralised exchange.
We strive to set high standards in policy engagement and expectations around conduct among our members to provide a safe experience for users of crypto-assets. The collapse of FTX tarnishes the good reputation and good work of the Australian digital currency exchanges which do meet industry standards, and the Blockchain Australia Code of Conduct.
Blockchain Australia, as the peak blockchain advocacy group in Australia, together with our members, has been advocating for years for a sensible custody regime to be put in place requiring that digital currency exchanges segregate their client’s assets from operating capital. We welcome Treasury’s move to open consultations to safeguard crypto custody arrangements and regulate exchanges next year.
That advocacy includes submissions regarding custody to the Senate Inquiry into Australia as a Technology and Financial Centre, leading to recommendations in the Senate Report, submissions to ASIC’s CPC343, Crypto-assets as underlying assets for ETPs and other investment products, which were set down in Report 705.
Those custody principles for crypto-assets via a regulated investment vehicle are now part of ASIC’s INFO225 and include:
- That crypto-assets should be segregated on the blockchain;
- That private keys used to access crypto-assets should be generated and stored in a way that minimises the risk of loss and unauthorised access. For example:
- solutions that protect private key material using hardware devices that are physically isolated and that have appropriately limited connectivity to other computing systems (cold storage) should be used. Private key material should not be held on internet-connected systems or networked hardware (hot storage) beyond what is strictly necessary for the operation of the product
- the hardware devices used to hold private key material should be subject to robust physical security practices, and
- effective systems and processes for key backup and recovery should be maintained, with geographically distributed backup sites preferred
- That signing approaches that minimise ‘single point of failure risk’ should be adopted;
- That robust systems and practices for the receipt, validation, review, reporting and execution of instructions for dealing with segregated assets should be in place;
- That robust cyber and physical security practices should be in place, including appropriate internal governance and controls, risk management and business continuity practices;
- That cybersecurity practices and controls environment should be independently verified to an appropriate standard – such as through SOC 1/2, GS 007, ISO 27001/2, NIST CSF or other appropriate certification or attestation.
While no regulation can prevent all instances of dishonesty or fraud, and more details are emerging as to just what occurred in relation to FTX, sensible custody practices and rules are a clear first step to improve the safety of clients’ assets.
We are urging all our digital currency members to segregate customer assets from operating capital and meet good industry practices as set out above.
For all media inquiries please contact John Bassilios – firstname.lastname@example.org