jakiro
On April 16, 2024, Hong Kong Financial Administration (referred to as the Hong Kong Financial Management Bureau) releasedGuidance on distributed classification account technology (DLT)Support banks to use DLT under the control of risks, and expressed their hope that through the method of considering the supervision of the HKMA, the industry has promoted the industry to accept and applied DLT technology wider and applied.
The principle of supervision of the HKMA is “risk -based, scientific and neutral”. It mainly focuses on whether banks have sufficient control measures and properly manage the additional and unique risks caused by the application of DLT.Some risk factors often appear in different DLT projects, and the HKMA has therefore putting relevant factors in the guidelines, including:Establish appropriate governance; bank board of directors and senior management to bear the final responsibility for the use of DLT using DLT, and should formulate appropriate policies and risk frameworksEnsure that banks can properly manage all risks derived from DLT.
The second is to ensure that the design of the DLT application project is appropriate. The matters that the bank may need to consider in the design process includes:
(I) Applicability of different DLT networks;
(Ii) Use and design of smart contracts;
(III) How to manage the risks and third -party risks that may be derived from; and
(IV) Whether the project can safely and other programs can reach interoperability.
in addition,The HKMA pays attention to continuous maintenance and monitoring DLT projects. Banks should set up effective cyber security measures to properly manage private keys, Comply with the requirements of personal data and privacy protection, and formulate appropriate emergency plans and test arrangements.
>
The following is the original text translation of distributed ledger technology (DLT) risk management.
Background
Since the government issued the “Hong Kong Virtual Assets Development Policy Statement” in 2022, the Hong Kong Financial Authority has noticed that the authorized agency (English for short) to explore how to use the distributed ledger technology (DLT) behind the virtual asset ecosystem to the traditional financial marketOperations have a strong interest.With the acceleration of these explorations, more and more authorized agencies are contacted with the Hong Kong Financial Administration in accordance with the regulatory expectations stipulated in the Hong Kong Financial Administration on January 28, 2022 to seek opinions on their planned measuresEssence
As long as they can manage relevant risks appropriately, the Hong Kong Financial Administration supports authorized agencies to adopt a solution based on distributed ledger technology (DLT).According to the principle of “risk -based, scientific and neutral”, when the Hong Kong Financial Administration reviews the DLT related proposal of the authorized agency,Focus on whether the authorized agency has established adequate systems and control measures, Manage the additional risk of DLT.
Although the Hong Kong Financial Administration’s specific considerations will be different due to the specific solutions they are reviewed, some common areas of risk are usually related to the use of distributed ledger technology (DLT).In order to promote the adoption of DLT solutions for authorization agencies, the Hong Kong Financial Authority lists in this memorandum:
(I) The key issues considers when evaluating the DLT -related proposals of the authorization agency; and
(Ii) The ability and conditions of the authorization agency should usually display and/or meet the ability and conditions in each field.
The above considerations are non -binding and non -detailed, and will continue to evolve with the development of the market and related technologies.Therefore, although the authorization agency can refer to these points when designing and developing solutions related to DLT, the Hong Kong Financial Authority will continue to discuss with the authorized agency on specific issues to ensure that the above factors are applicable to specific cases.
Key factor
Govern
DLT pays attention to decentralization. The use of DLT not only involves novel applications of technology, but also involves non -traditional governance concepts. Therefore,The board of directors and senior management assume all the responsibilities of the authorization agencies and fully manage the relevant risksEssence
When implementing DLT solutions, the authorized agency may encounter a series of new DLT specific risks, including risks related to governance.Therefore, the Hong Kong Financial Authority expects the board of directors and senior management of the authorized agency to establish a sufficient system and control measures to reduce these risks.
As part of it, the authorized agency should review and update its relevant policies and frameworks as needed to reflect the specific factors of DLT.These policies and frameworks include technical risk management (such as changing management, access control, network security), business continuity planning (BCP) and outsourcing.
Regarding internal capabilities, the authorization agency must ensure that employees with sufficient DLT professional knowledge to support the implementation process, and its management has sufficient knowledge to review and evaluate the strategy and methods of DLT adopted by the authorization agency.
In view of the rapid pace of technological progress, the authorization agency should pay attention to the necessity of providing employees with regular trainingAnd re -configure the workflow to keep up with the latest development.If the DLT solution involves customer -oriented elements, the authorization agency shall review the need for DLT specific consumer education efforts and/or updating existing dispute processing procedures, as well as the necessity of compensation and compensation mechanisms.
Application design and development
Select the right DLT network for specific applications–Considering the structure and governance method of the DLT network (for example, no, private permission, or public permission) on the network’s security, stability, scalability, and elasticity, the authorization agency must select the appropriate DLT network for specific applications for specific applications.Essence
The Hong Kong Financial Authority expects the authorization agency to fully understand the different types of DLT networks available, and make appropriate choices based on the nature and risks of the applications involved, as well as their own legal and regulatory responsibilities.If the authorized agency decides to choose a design option that may involve higher risks, the Hong Kong Financial Administration expects similar options to accept key assessments and ensure that corresponding risk management control measures are provided.For example, due to the qualifications of open members and more likely to be attacked by malicious actors, the network may not be the first choice for applications involving sensitive data.
However, if the authorized agency can find appropriate measures to manage relevant risks (such as encryption solutions, such as zero -knowledge certification or combination of on -chain and under -chain solutions), these networks do not need to default to such applications by default.
Design “Appropriate” smart contract-Although smart contracts can provide an efficiency advantage through automation, they may not apply to all business scenarios, or they can only be deployed with customized control measures.
For example, in the case of human judgment that is usually involved in a certain degree (such as complex loan assessment), unprepared automation may not be popular, and smart contracts may only be applied to adding manual intervention options.
If the authorized agency believes that the use of smart contracts is appropriate, the Hong Kong Financial Administration expects its effective management of a loophole in common related to smart contracts.These include operating risks (such as non -malicious coding errors and cyber attacks), third -party risks (such as the reliability of “prophecy machines used to obtain external data) and legal risks (such as whether the legal foundation of smart contracts is established).
to this end,It is recommended that authorized agencies establish a strict governance framework to introduce and update smart contracts.The effective framework will evaluate the applicability of smart contracts under certain circumstances. From the perspective of operation, technology, and legal, the upcoming smart contracts are conducted and reviewed to ensure that the necessary risk management control measures are included in the final design of the smart contract.And cover the program/consideration of upgrading smart contracts.If necessary, the authorized agency should consider hiring professional suggestions, including the appropriate third party to audit it before deploying smart contracts.
Understand and reduce potential legal risks-The legal foundation for applying DLT to traditional financial market activities is still developing.For example, the issuance and transaction of tokensized products, in the traditional financial system, “setting the final nature” is a clear and clear time point, which is supported by a strong legal foundation. Under the DLT arrangement, the use of consensus is based on consensus -based on consensus.The verification mechanism may not be so clear at the time point of the settlement of the settlement.According to the “tokenization” method of traditional products, it may also change its legal status and subsequent regulatory treatment methods.The authorized agency should realize these possible legal gray areas, seek professional advice if necessary, and take measures in the design process to alleviate the legal risks that follow.
Effective management risks related to third parties-The Hong Kong Financial Authority expects the authorized agency to review and determine whether they can manage the risks that they may bring to the third party arranged by DLT arrangements in the process of evaluating whether to adopt the DLT solution.In particular, in view of the operation of the DLT network based on the consensus mechanism, the dependent node operator to verify and confirm the change of the reconciliation book, the authorization agency should fully consider whether the node operator is sufficiently trusted, reliable and diversified according to the application of the hand.
If it is found insufficient, the authorization agency shall take adequate risk compensation measures.The design of the DLT network may also have the impact of fully managing the ability to fully manage risks related to third parties.For example, Wucai.com has an open member qualification in design and allows any participants (including participants with a pseudonym) to become verificationrs.In these cases, the authorization agency has less control over the third parties involved, so unless they can adopt full risk management compensation measures, the authorized agency will adopt this type of DLT solution for high critical or sensitive functions.Not suitable.
Safety realizes interoperability and connection–The Hong Kong Financial Authority expects the authorization agency to design its DLT -based system as possible as a compatible tradition and other DLT -based solutions, and can “communicate” with it.This may help restrict market fragmentation, support operational efficiency, and ensure the long -term correlation of DLT solutions.
For example, the Hong Kong Financial Authority has been encouraging banks to explore the potential of DLT to accept deposits (that is, “tokenization” deposit)Because this kind of deposit activity is allowed under the “Banking Regulations”.In this process, the view of the bank that needs to be noticed is,The tokenized deposits that can only be used in the authorized agency themselves can be used by the deposits that can be used for inter -bank transfers and settlement that can be used for interbank transfer and settlement.There are relatively few additional value.Considering this, it is recommended that the authorized agency considers the use of more extensive technical standards accepted by the industry to support compatibility.Like any bank initiative, the authorized agency should ensure the security of these connections, including protecting them from the risk of online attacks, potential security vulnerabilities and data leakage.
Continuous maintenance and monitoring
Establish a network security mechanism of the same level as traditional technology –The application based on DLT should enjoy the network security level commensurate with traditional underlying technology.The Hong Kong Financial Authority expects the authorization agency to adopt effective mechanisms to respond to DLT’s unique network risk (such as 51%attacks) and other common network security threats (such as distributed rejection services, that is, DDOS attack).The authorized agency should also be alert to the new technological development of the new technological development of the threat to the actor’s emerging crime and which may affect the security of DLT application (such as quantum computing), and regularly update its response capabilities.
Safety management private key–The responsibility of the authorization agency accessing and protecting the private key depends on its purpose of adopting the DLT application and whether it provides certain services.In view of the different possibilities, the Hong Kong Financial Authority usually hopes that the authorization agency has proved that it has formulated a strong policy and procedure to provide any private keys they hold or manage to provide the nature and risk of applications, which are related to the private key.The level of underlying assets and the responsibilities of the authorized agencies are compatible with the safety level.
For example, authorized agencies to provide custody services for customers’ digital assets are usually expected to adopt more stringent security procedures to ensure that related private keys (and applicable notes) are always safely generated, stored, and backup.This may involve a variety of measures, including the implementation of control measures to strictly restrict access to the key, using cold storage and developing different places backup and other emergency arrangements.
Guarantee to meet data privacy and protection requirements –Regardless of data storage on centralized ledger or DLT -based ledger, the current data privacy and protection requirements continue to apply.Therefore, the authorization agency should prove that it has established sufficient systems and control measures to ensure that it continues to meet these requirements.
If necessary, relieving measures should be taken to manage the complex problems that may occur due to the unique properties arranged by DLT.These measures may include, but not limited to: the difficulty of compliance with the requirements of the data reserved (such as the irreversibility of data on the DLT network), ensuring the confidentiality of personal data (such as the transparent nature of some DLT networks), and localization of data(For example, how to complete data preservation when the DLT network is distributed in multiple jurisdictions).
Custom emergency plan and test arrangement-If the authorized agency uses DLT in key functions, the Hong Kong Financial Administration expects it to include a DLT test scenario (such as common DLT network attacks, loss of private keys, and “forks, and” splitters, and “bulls, and” splitters) in business continuity (BCP).”The possibility) and emergency arrangements.
In particular, it is expected that the authorized agency to understand and consider the unique operating dynamics of the DLT network, especially those factors that may affect the system and capacity management (such as verifying the possibility of congestion and the demand for higher expenses to pay for emergency transactions).Pay attention to testing.When considering more extreme scenarios, the authorized agency should also consider providing the necessity of backup options for DLT solutions to temporarily or permanently unavailable.
