Policies and procedures are essential for any business, but which policies should your crypto fund have?
As the crypto asset space matures, we are seeing more and more institutional interest and with this comes additional scrutiny and requirements. If you want to attract this capital, the startup model that your fund has run on traditionally may not be enough. One of the first steps you can take to show the maturity of your fund, is to put in place appropriate policies and procedures around the key areas in your organisation.
There are many different policies and procedures a fund is required to have, however when you are running a crypto fund there may be some policies and procedures that are unique to the industry.
The following are three policies crypto funds should focus on:
Information Security Policy
This one is probably a little obvious, but given the nature of digital assets, cyber security is one of the main concerns for investors. While cyber security is important in any fund, it should be emphasized in a crypto fund. Due to the nature of the operations of the fund, many functions are automated or accessed remotely and this provides a prime target for hackers.
All crypto funds should have a cyber security policy, but this policy shouldn’t just be a document that is written once and filed for the regulators and auditors to look at. A good cybersecurity policy should be a practical document that is updated as the organisation grows and matures. Cybersecurity should be a daily practice which all employees take part in and not something you get training on once a year and then forget about.
You are only as secure as your weakest link and it has been proven time and time again that social engineering remains one of the most effective ways for hackers to gain access to a system.
So what are some of the areas you should cover in your policy:
Training remains one of the most effective ways to avoid hacks. When users are aware of the latest methods used by hackers and what to be on the lookout for, it increases the security of your organisation significantly. Don’t just dust off the same training that was presented last year, look at the latest hacks or get an expert who works in the industry to present training to your users. The time and money spent on good training can save your organisation millions if it stops one user from clicking on the wrong link.
User access isn’t a sexy topic, but it is critical in any organisation. This includes how new users are granted access as well as how access is changed or terminated when a user leaves the organisation. You also want to consider whether some accounts such as exchange and custody accounts will be forced to use two factor authentication, whether password management software will be used and the complexity of password.
If a person in your organisation is using the same username and password on their news app as they use on custodian login, this is a significant security weakness you might not even be aware of. With good policies and procedures you can avoid this ever happening.
Vendor due diligence
In the business world of today there are very few organisations, if any, that don’t rely on some third party service provider in their IT infrastructure. Whether this is your email service provider or a cloud storage solution, you may be vulnerable in ways that you are not even aware of. In the crypto industry this expands further to the exchanges, custodians and other service providers such as the wallets you use in your day to day operations.
Vendors should undergo a strict documented vetting process when the initial decision is made on which vendor to appoint. The process should however not stop there. Your organisations should re-assess vendors at least annually afterwards to ensure they are still complying with the standards you require.
When designing a cyber security policy there are many other areas that should be considered and which are required by laws in different jurisdictions. We won’t bore you with an extensive list in this article, however if you want to discuss this further please feel free to reach out to us. Implementing a well thought out and practical policy can nor only save your organisation from significant potential financial loss, but also reputational loss.
This one may not be that obvious. A lot of funds think that their Anti Money Laundering/Know Your Customer (AML/KYC) policy is taken care of by their fund administrator, however it is still the fund’s responsibility to ensure the administrator is adhering to the AML and KYC standards. Especially where the admin is based in a different jurisdiction than where the fund is domiciled. We all know how hard it is to keep up with the regulatory changes of one jurisdiction. Your admin needs to stay up to date with every single jurisdiction they have a client in. Due to this, many of them will only implement their local jurisdiction’s standard, which may not comply with your funds requirements.
AML and KYC are also of additional interest to regulators when dealing with anything in the cryptocurrency industry. Unfortunately, many people still believe cryptocurrencies are only used for illegal activities and due to this, your fund may be under additional scrutiny. For any contributions in kind, you have to take extra care to ensure your administrator is performing the minimum required procedures and checks to gain comfort over the contributions received.
This is why your fund has to have its own AML and KYC policies and that the procedures are in place to review the fund administrator to ensure compliance with all the relevant regulations.
This doesn’t have to be difficult, you can get a service provider to develop a due diligence checklist for your fund. The fund admin can complete it annually or you can just document the review and procedures you performed to review the admin’s policies and procedures.
We’ve left the best for last and these are policies that are very unique to a crypto fund. They also depend on the type of strategy you are running and all these policies may not be applicable to you:
Any fund that self-custodies assets should have a custody policy which details all the policies and procedures around the self custody process. This includes:
- how wallets are created,
- how private keys are stored,
- how seed phrases are stored,
- how transactions are performed,
- who has access to hardware,
- who can approve transactions and
- what happens when any private key data is compromised.
The CryptoCurrency Security Standard (CCSS) provides a great starting point of what to cover.
Many funds have confidentiality concerns when setting up these kinds of policies, however, remember that the goal with any custody solution is to create a system where there is no single point of failure. Your solution should be created in such a way that even with the custody policy, a malicious actor would not be able to easily access any assets. You can achieve this through levels of segregation, the tools you use and physical controls (we love thinking about these things so let us know if you are struggling).
The custody policy is not limited to funds who self custody assets. Funds using third-party custodians should also have well documented policies and procedures. These policies should cover vendor due diligence procedures, annual reviews, user access creation and termination, transaction approval requirements and segregation of duties. Additionally, this doesn’t have to be a completely separate policy and can be included in your Cybersecurity or IT policy to make it easier.
A good policy provides all staff with an overview of the operations and ensures that other staff will be able to continue with the operations of the fund in the event that another staff member can not fulfill their duties.
You do not want to be in a position where you have to explain to investors that they cannot access their funds because John is the only one with access to the custodian account and you never thought about a scenario where he might not be able to access the assets.
If your fund is participating in staking or decentralised finance, there are a number of considerations that are specific to a crypto fund that you have to cover in your policies and procedures.
Firstly you have to look at the vetting process for the protocols that you are investing in. Have you reviewed security audits, open source code libraries, the team, community and any other relevant sources of information?
Secondly, have you developed detailed procedures for interacting with these protocols? These policies should ensure the highest level of security in your operations or that detailed vendor due diligence procedures were performed on any third parties used in this process. Due to the nature of digital assets these considerations are vital and can prevent a fund from losing investor assets if developed and implemented correctly.
Outside of the above, your policies should also consider aspects such as collecting and validating blockchain data, accounting for returns received and taxation of these returns. As the industry matures and new guidance is received, these policies should also be reviewed and updated at least annually to ensure you have considered all the possible implications of changes and how they will impact your fund and investors.
Policies and procedures are not sexy, but they are critical to the operations of any company. They are a great opportunity to sit back and think about all the things you need to consider in your day to day operations. Well written policies should not be a burden and should help ensure the efficient and secure operations of any crypto fund.