021-19 Wyo. Code R. §§ 19-8 - Business Requirements

(a) A bank providing custodial services under this chapter shall have verified mechanisms in place to assess its liquidity needs, including sums required for the execution of transactions. These mechanisms shall inform the bank's customer private key storage policy for custodial services. Unless otherwise demonstrated to be no longer best practices:

(i) The customer private key storage policy should require that the method of digital asset storage (e.g., hot versus cold storage) be conducted on a risk-focused basis; and

(ii) The mechanism and thresholds for transfer between hot, cold and other forms of storage must be well documented and subject to rigorous internal controls and auditing. To ensure sufficient liquidity and the protection of customer assets, a bank shall be able to timely execute a withdrawal of all digital assets.

(b) As a component of the bank's private key storage policy under subsection (a) of this section, a bank shall take into account its ability to obtain insurance or other forms of risk mitigation.

(c) A bank may generate a new data address, as defined in W.S. 17-16-140(a)(xlvii), for each transaction to ensure a customer's privacy, security and confidentiality. Before adopting such a policy, a bank shall consider potential business cases where traceability of address activity is desirable, especially to ensure compliance with federal customer identification, anti-money laundering, sanctions and beneficial ownership requirements. A bank shall exercise appropriate judgment in determining a data address strategy based on the use case of its customers.

(d) Each digital asset type may have a different protocol for its wallet functionality. Regardless of protocol differences, a bank shall demonstrate its ability to manage a similar level of compliance related to safekeeping, recording and transaction handling. A bank shall demonstrate compliance with the standards outlined in these rules for every asset type in its custody.

(e) A bank shall develop a protocol for fraud detection and adherence to federal customer identification, anti-money laundering, sanctions and beneficial ownership requirements. This should include a detection system for identifying suspicious transactions as well as a procedure for reviewing and reporting identified transactions.

(f) A bank shall disclose to the Commissioner, upon request, the methodology and data related to its asset valuation calculations and, if possible, use recognized benchmarks or observable, bona-fide, arms-length market transactions. A bank may provide a summary of its methodology to customers or the public which does not disclose proprietary data. A bank shall exercise due care where the current market value of a digital asset is a conditional element of the transaction being executed. A bank shall ensure adherence to its customer agreement and industry best practices relating to the execution of exchange, derivatives, lending and other transactions. A bank shall also disclose in advance the source of the asset valuation to the customer and all signatories of the transaction.

(g) A bank shall have established roles and responsibilities for custodial service operations and custody operational risk management. Responsibility for manually executed (nonautomated) core functions of custodial services should be performed by employees who have been subject to appropriate background screenings.

(h) A bank shall provide industry-leading information technology security training on a regular basis to all employees and monitor its employees compliance with established procedures. This training shall include potential attacks that are specifically applicable to digital assets. Two training programs may be produced, one for information technology staff and one for non-information technology staff.

(j) A bank shall have appropriate numbers of staff who are trained and competent to discharge their duties effectively. The bank shall ensure that the responsibilities and authority of each staff member are clear and appropriate given the staff member's qualifications and experience, and that staff members receive the necessary training appropriate for their respective roles.

(k) A bank shall review and document the adequacy of its training programs at least annually, along with any relevant elements after the occurrence, or near occurrence, of material risk incidents. Policies and procedures must also provide for appropriate disciplinary measures for employees who violate policies and procedures.

(l) For any outsourced services or integrated partnerships, a bank shall demonstrate that proper due diligence was done in vetting the partner, whether an affiliate, vendor or supplier, regarding information security, operational risk and financial solvency. Although a bank may outsource such services, responsibility for compliance with applicable laws and rules shall remain with the bank. A bank shall also have sufficient governance mechanisms in place to monitor the outsourced party's continued compliance. To the extent possible under this chapter, bank policies on outsourcing or partnerships shall be consistent with the bank's existing processes for outsourcing or partnerships.

(m) A bank shall regularly assess the risk of information technology systems or software integrations with external parties, particularly as they relate to the risk of malicious intrusion, unauthorized access or theft of customer assets in custody, and ensure that appropriate safeguards are implemented to mitigate the risk. A bank shall engage a qualified, independent third party to conduct penetration testing annually. Results of such penetration tests shall be documented and retained for at least five years in a manner that allows the reports to be provided to the Commissioner upon request.

(n) For any third-party supplier of equipment that enables core functions of custodial services (e.g. steel storage, cold storage wallets, etc.), a demonstrated redundancy strategy shall exist that allows the bank to maintain service level agreements in the event of primary equipment or supplier failure.

(o) A bank shall provide to the Commissioner written verification that assets under custody carry appropriate insurance or other financial protections, as determined by the Commissioner, to cover or mitigate potential loss exposure.

(p) A bank shall maintain documented policies and procedures related to customer identification, anti-money laundering, sanctions and beneficial ownership requirements, which shall be as reasonably consistent as possible with existing processes, for both jurisdiction and asset types. A bank shall comply with all applicable federal laws relating to anti-money laundering, customer identification, sanctions and beneficial ownership, which may include enhanced compliance measures or procedures necessary to comply with these laws. A bank shall, upon request by the Commissioner, demonstrate its protocols for compliance with these laws, including its practice of new customer identity verification process as well as any required ongoing screenings and transaction-specific screenings.

(q) A bank shall comply with the following requirements:

(i) If applicable, a bank shall provide customer account statements as required by 17 C.F.R. § 275.206(4)-2(a)(3), as incorporated by reference on July 1, 2019, including a timeframe of statement activity, all digital asset transactions specific to each account with dates and transaction amounts of corresponding transactions, balances for each type of digital asset and valuation of assets for each digital asset type, including the method used to create the valuation, consistent with subsection (f) of section 8.

(ii) Disclose all service level agreements for custodial services to customers; and

(iii) Disclose its responsibilities with respect to processing of corporate actions, pricing assets, providing recordkeeping, reporting services, fund administration, performance measurement, risk measurement and compliance monitoring.

(r) Consistent with W.S. 34-29-104(c), regular examinations of both customer currency and digital assets shall be completed by an independent public accountant if required.

Any examination shall include, if feasible, independent and cryptographically verifiable control of all digital assets under custody or a random sample selected by the auditor. A proof of reserve scheme may be used, if feasible, but only if customer privacy is protected by disclosing the total balance, data addresses or keys to the independent public accountant on a confidential basis. The examination conducted by the independent public accountant under this subsection shall proceed as follows, unless otherwise directed by the Commissioner for good cause:

(i) A bank shall provide the independent public accountant with all public data addresses used and shall sign messages demonstrating possession or control of private keys for those addresses. A hash of the most recent block of an agreed-upon distributed ledger at the time of signature shall be included in the signed message in order for messages to serve as a timestamp for when the signature was made. The signatures of those shall be verified by the accountant. The accountant shall use the distributed ledger to extract the total amount available at those addresses at a certain point in time;

(ii) The accountant shall determine to his satisfaction that a bank has control of the public data addresses provided in the signed message by requiring a signed message of the accountant's choosing using the private key to any of the public addresses provided by a bank. A bank shall not provide the accountant with a private key to any digital asset under custody;

(iii) A bank shall provide the digital asset balances, per asset, of each customer to the accountant and generate a Merkle tree, or in the determination of the Commissioner, any substantially similar analogue. The accountant shall publicly publish the root node hash, and affirm if true, that the total holdings represented by the root hash closely approximates the value that the accountant has verified in the wallet of the bank relating to the distributed ledger. The accountant shall ensure that the bank is not attempting to obfuscate or conceal material issues in the nodes that lead to the root node; and

(iv) A bank shall provide customers with the digital asset balances reported to the accountant, as well as the nodes and adjacent nodes from their account to the root which matches the root node hash published by the accountant. A bank shall disclose the hashing method used to generate the hash for the bank's node to customers, so that customers can verify that the node accurately represents the balance that is claimed, enabling customers to independently prove that their account was included in the data verified by the independent public accountant.

(s) The Commissioner may conduct an examination of custodial services provided by a bank at any time, with or without notice to the bank.

(t) A bank shall designate a method for the public to responsibly disclose critical vulnerabilities or other potential exploits and security risks by protocol developers. A bank shall designate at least one employee to be responsible for handling inbound communication regarding critical security vulnerabilities or other security sensitive matters.

Notes

021-19 Wyo. Code R. §§ 19-8

Adopted, Eff. 11/8/2019. Amended, Eff. 5/13/2021.