The regulation clarifies the IT controls that custody providers must have in place to mitigate cyber risk in managing cryptocurrency wallets and keys.
New regulations for cryptocurrency custody providers by Thailand Securities and Exchange Commission (SEC) on Monday (16th January) came into force.
They need digital asset custodians (as they are called by the SEC) to establish a wallet management system that ensures the efficient management of digital assets and keys, as well as the security of client assets.
Among other requirements, companies providing such storage services must meet the following requirements:
- Risk management policies for wallet and key storage, including communications and internal controls to ensure compliance.
- Procedures for designing, developing, and managing wallets and creating, maintaining, and accessing keys to ensure safety and security.
- a contingency plan for events that may affect wallet and key management; and
- Regular audits of system security and digital forensic investigations of events impacting client assets.
These regulations have been around for a long time. Last July, the SEC introduced its first licensing scheme for digital asset managers. This was followed by the promulgation of regulations on the operation of such businesses last September.
With the new regulation, the SEC now provides specific guidance on the IT controls Thai custody providers must have in place to mitigate the cyber risks associated with managing cryptocurrency wallets and keys.
The development continues in the same vein as Thailand introduced last year to strengthen investor protection in cryptocurrencies. These include proper management of client assets in both fiat and cryptocurrency custody by companies, stronger advertising rules, and a ban on accepting and lending cryptocurrencies.
In many ways, Thailand has responded very quickly to cryptocurrency regulation compared to other countries in the region. For example, it has set guidelines to regulate financial services, including baht-backed stablecoins, in early 2021. This is a year ahead of Japan, Hong Kong and Singapore, which have just started discussing or actually regulating fiat-backed stablecoins in 2022.
Of course, this is not a question of fastest being the winner. Remember turtles and rabbits? Oversight and enforcement are equally important in the implementation of any regulatory regime.
Nonetheless, the swift and timely introduction of new regulations to govern Thailand’s nascent crypto sector will provide business transparency, set regulatory expectations, and help the rapidly evolving crypto sector. It helps you not to be late.
For an overview of Thailand’s crypto regulation, see Elliptic’s country guide.
Tung Li Lim is Senior Policy Advisor for APAC at blockchain analytics firm Elliptic and former Deputy Director General of the Monetary Authority of Singapore (MAS).