REPORT: Bermuda Authorities Issue Far-Reaching Custodian Provider Code of Practice for Consultation; Remain Crypto Friendly

On 18 December, the Bermuda Monetary Authority (BMA) released a draft digital asset custody code of practice for a one month consultation period.1 The draft code is one of the most comprehensive custody provider guidelines to be issued by any jurisdiction.

The draft code is designed to provide additional clarity regarding the standards the BMA will impose when considering whether a custodian is employing an acceptable level of care with its client’s digital assets.2 Failure to comply with the business or technical provisions in the draft code will be taken into consideration by the BMA in determining whether a licensed digital asset firm is meeting its obligation to conduct its business in a sound and prudent manner.3

The provisions in Bermuda’s draft code of conduct for custodian providers incorporate a broad range of business and technology controls. The draft code will likely be closely reviewed, and possibly used as a model, by other jurisdictions, like the UK, which are drafting digital asset laws and regulations.

Proportionality Principle

The BMA will assess compliance with the code of practice in a proportionate manner relative to the nature, scale, and complexity of the firm.4 Higher standards may be warranted when a firm has a unique business model with extraordinary risk or there are generally accepted breakthroughs in cybersecurity risk management and mitigation strategy.5

Hot and Cold Storage Policies 

The draft code strongly recommends that the majority of client private keys, not required for client transactions, be held in cold storage to mitigate against client loss from cyber-attacks.6 The BMA also strongly recommends a minimal balance be kept in hot storage and the mechanism and thresholds for transfer between hot, cold and other storages must be well documented and audited.7 In no case is a firm permitted to hold less than 90% of client private keys not being used for trading or other transactions in cold storage.8

A digital asset firm must also provide rationale for its choice of storage solutions. Factors for determining the best method of storage include, but may not be limited to, the volume of speed at which transactions need to be completed and the client’s risk tolerance.9

Client Address Strategies

The practice of generating a new address for every transaction further ensures a client’s privacy and confidentiality.However, there are cases where traceability of address activity is desirable.The draft code requires the custodian to exercise judgment in determining an address strategy based on the use of its clients and provides justification for the address use strategy.10

Fraud Detection and Due Diligence Standards

The draft code strongly recommends that digital asset businesses develop a protocol for fraud detection that includes a system for identifying suspicious transactions, as well as a procedure for reviewing suspicious transactions.11

Digital asset businesses must also document policies and procedures related to client identity verification requirements that include, but are not limited to, enhanced due diligence, sanction screenings and adverse media screenings.12

Proof of Asset Valuation and Reserves

The draft code mandates that digital asset business have to disclose the methodology related to its asset valuation calculations and, when possible, use recognized benchmarks or observable, bona-fide, arms lengths market transactions. The draft code strongly recommends that firms disclose the source of the asset valuation to the client and all signatories of the transaction.13

The draft code also strongly recommends that firms have a minimum amount of assets on-hand, within the organization, to withstand the withdrawal of all client assets and ensure sufficient liquidity for the protection of client assets. A periodic proof of reserves audit must also be completed.14

Reporting Standards and Insurability Protections

The draft code requires firms to issue customer statements at least quarterly. The statements must be designed to assure the integrity of the client accounts and permit clients to identify any erroneous or unauthorized transactions, withdrawals or balances.15

Digital asset businesses must also demonstrate that assets under custody carry appropriate insurance or other financial protections to cover or mitigate potential loss exposure.16

Custody Safekeeping Standards

The draft code requires firms to have controls in place to ensure digital assets are securely created and stored. Uninterrupted availability of assets is another important requirement.17 The draft code strongly recommends that seeds should be created using a National Institute of Standards and Technology (NIST) compliant deterministic random bit generator.18

The draft code requires firms to have secure deletion and destruction mechanisms in place and ensure unwanted artifacts from seed, key and wallet generation.19 The draft code also requires firms to ensure that fewer than the number of keys required to transact will ever be stored online or in any one physical location. Key/seed backups must be stored in a separate location from primary key/seed.20

Digital asset businesses must ensure that a regular and recurring internal audit-at least quarterly-of the backup seeds is performed on storage devices to ensure that no backups were tampered with or removed.21

Physical Security and Access Requirements

The draft code requires firms to have storage facilities equipped with highly secure vaults that are penetrative resistance to forcible attack and monitor all physical storage areas on a 24/7 basis. Access to storage areas must be limited to persons authorized by the associated entity and confirmed by a third party through multifactor identity verification.22

The draft code also requires firms to have access requirements that require, at a minimum, badge entry that is restricted to authorized individuals; separate access controls from primary workspaces; facility access control logging systems that maintains access records for a minimum of one year on-site and a copy stored for three years at an off-site location; and CCTV that covers entry access entry.23

Key Compromise and Key Revocation Procedure 

The draft code requires firms to have a documented protocol in the event there is reasonable belief that a wallet, private key or seed has been compromised.24 Digital asset businesses must also have procedures in place for immediately revoking a signatory’s access.25

Perpetual Client Access and Location Redundancy

The draft code requires firms to demonstrate that they can provide clients with perpetual access to all assets in custody in the event the business ceases to operate or cannot fulfill its custody agreement.26

The draft code also requires businesses to maintain disaster recovery and redundancy facilities designed to ensure business continuity and client asset preservation.27

Mandatory Reporting of Security Breaches 

The draft code requires firms to have documented policies and procedures to address actions taken, client notifications, and notifications to the BMA regarding an event or suspicion of hack, theft, compromise or attack.Such procedures must be reviewed and audited annually.Within 14 days of a notification, the senior representative must furnish the BMA with a report in writing setting out all of the particulars of the case.28

Custody Transaction Handling and Custody Operations Controls

The draft code requires firms to ensure transactions are secure and trusted and that there are measures in place to prevent fraud. All transactions must be recorded in system audit records, and these records must be periodically audited.29

The draft code also imposes custody transaction handling control standards, including multi-signature authorizations, collusion mitigation, evidence-based signature approvals, periodic audits and data deletion and sanitization policies.30

IT Operational Controls

The draft code concludes with a series of technology operations requirements. Firms must have best practice IT operational controls in place to ensure a secure and stable custody operating environment. 

The mandated controls include multi-factor authentication; security controls to all systems, particularly internet-facing systems; individual access system controls; security vulnerability and custody services testing; and disaster recovery procedures.31


  1. Consultation on Digital Asset Custody Code of Practice 2018,” Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  2. Consultation on Digital Asset Custody Code of Practice 2018, §1.2, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  3. Consultation on Digital Asset Custody Code of Practice 2018, §1.2, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  4. Consultation on Digital Asset Custody Code of Practice 2018, §1.3, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  5. Consultation on Digital Asset Custody Code of Practice 2018, §1.3, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  6. Consultation on Digital Asset Custody Code of Practice 2018, §1.5, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  7. Consultation on Digital Asset Custody Code of Practice 2018, §1.5, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  8. Consultation on Digital Asset Custody Code of Practice 2018, §1.5, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  9. Consultation on Digital Asset Custody Code of Practice 2018, §1.43, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  10. Consultation on Digital Asset Custody Code of Practice 2018, §1.6, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  11. Consultation on Digital Asset Custody Code of Practice 2018, §1.8, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  12. Consultation on Digital Asset Custody Code of Practice 2018, §1.19, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  13. Consultation on Digital Asset Custody Code of Practice 2018, §1.9, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  14. Consultation on Digital Asset Custody Code of Practice 2018, §1.21, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  15. Consultation on Digital Asset Custody Code of Practice 2018, §1.20, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  16. Consultation on Digital Asset Custody Code of Practice 2018, §1.17, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  17. “Consultation on Digital Asset Custody Code of Practice 2018: Technology Controls Part I: Custody Safekeeping,” Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  18. Consultation on Digital Asset Custody Code of Practice 2018, §1.28, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  19. Consultation on Digital Asset Custody Code of Practice 2018, §§1.30-1.31, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  20. Consultation on Digital Asset Custody Code of Practice 2018, §1.31, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  21. Consultation on Digital Asset Custody Code of Practice 2018, §1.31, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  22. Consultation on Digital Asset Custody Code of Practice 2018, §1.33, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  23. Consultation on Digital Asset Custody Code of Practice 2018, §1.41, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  24. Consultation on Digital Asset Custody Code of Practice 2018, §1.35, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  25. Consultation on Digital Asset Custody Code of Practice 2018, §1.37, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  26. Consultation on Digital Asset Custody Code of Practice 2018, 1.38, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  27. Consultation on Digital Asset Custody Code of Practice 2018, 1.40, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  28. Consultation on Digital Asset Custody Code of Practice 2018, §1.42, Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  29. “Consultation on Digital Asset Custody Code of Practice 2018: Technology Controls Part II: Transaction Handling,” Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  30. “Consultation on Digital Asset Custody Code of Practice 2018: Technology Controls Part II: Transaction Handling,” Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).
  31. “Consultation on Digital Asset Custody Code of Practice 2018: Technology Controls Part III: Operations Controls,” Bermuda Monetary Authority, December 2018, http://cloudfront.bernews.com/wp-content/uploads/2018/12/Digital-Asset-Custody-Code-of-Practice.pdf (accessed 20 December 2018).