Navigating VARA compliance: A guide for custodians on key management
The Virtual Asset Regulatory Authority (VARA) was established to oversee the virtual asset ecosystem in the Emirate of Dubai. Its primary purpose is to provide a comprehensive regulatory framework for the growth and development of the virtual asset industry, ensuring security, transparency, and investor protection within the market.
VARA has jurisdiction over most stakeholders in the virtual asset space, including exchanges, custodians, wallet providers, and other virtual asset service providers. By setting clear rules and guidelines for these entities, VARA strives to create a robust and well-regulated ecosystem that fosters innovation while protecting investors and maintaining market integrity.
This article provides an overview of VARA and its objectives, focusing on private key management for custodians. We will also discuss how Coincover's non-custodial solutions can help custodians comply with VARA's requirements outlined in its Custody Rulebook.
VARA’s objectives
VARA's objectives can be summarised as follows:
- Foster innovation: Encourage the development of virtual asset technologies and services while maintaining a well-regulated environment that supports innovation and growth.
- Investor protection: Safeguard the interests of investors and users by implementing robust regulatory measures that ensure the security, transparency, and reliability of virtual asset service providers.
- Market integrity: Maintain the integrity and stability of the virtual asset market by preventing market manipulation, money laundering, and other illicit activities.
- Risk management: Establish a comprehensive risk management framework for virtual asset service providers to identify, assess, and mitigate risks associated with their operations.
- International cooperation: Collaborate with other jurisdictions and international organisations to promote a globally consistent approach to virtual asset regulation.
VARA's requirements for key management
The VARA Custody Rulebook outlines the regulatory framework and requirements for entities providing custody services in the virtual asset space. It stipulates detailed procedures for the safekeeping and management of clients' virtual assets, mainly focusing on the management and backup of private keys. In addition, the rulebook outlines the obligations and responsibilities of custodians to ensure the security and integrity of the virtual assets they handle.
Custodians' obligations and responsibilities
Custodians must establish, implement, and maintain robust and secure policies, procedures, and controls to manage the risks associated with the custody of virtual assets. These measures should ensure the safeguarding, segregation, and accurate record-keeping of clients' virtual assets.
Private key management
Custodians must maintain strict control over clients' private keys, which are critical for accessing and transacting virtual assets. The rulebook requires custodians to:
- Implement robust and secure private key generation processes (Part III.C.2a)
- Use cryptography that complies with industry best practices (Part III.C.2b)
- Maintain a clear segregation of duties between the custodian and the operational company (Part III.B.5 and 6)
- Limit and monitor access to private keys. (Part III.C.2.e)
- Implement multi-signature schemes, where appropriate, to minimise the risk of unauthorised access. (Part III.C.2.d)
- Regularly review the effectiveness of policies and procedures, including those relating to key management (Part II.A.2)
Backup private key management
The rulebook emphasises the importance of having secure and reliable backup procedures for private key management. Custodians must:
- Create and store multiple copies of private keys in geographically dispersed locations. (Part III.C.2c)
- Implement encryption and secure storage mechanisms to protect backup copies from unauthorised access. (Part III.C.2c)
- Regularly test the effectiveness of backup and recovery procedures (Part III.C.3a)
Implications for custodians
The VARA Custody Rulebook highlights the critical role custodians play in the virtual asset ecosystem. By adhering to the rulebook, custodians can ensure the security and protection of their clients' assets, bolstering trust and confidence in virtual asset markets.
The rulebook's emphasis on private key management and backup processes highlights the importance of establishing rigorous controls and procedures to mitigate the risks associated with virtual asset custody. Custodians are expected to invest in the necessary technology, infrastructure, and expertise to meet these requirements, ultimately enhancing the overall security and resilience of the virtual asset landscape.
A non-custodial and cost-effective solution for managing the backup of private key materials
Coincover, a leading virtual asset security provider, offers comprehensive non-custodial solutions that help custodians manage the backup of private key materials in compliance with VARA's requirements. With Coincover's Disaster Recovery service, custodians can benefit from:
- Secure storage of encrypted backup private key materials
- Geographic distribution for enhanced security
- Robust recovery security procedures requiring a quorum of nominated individuals to action a recovery
- Cost-effective management of backup keys
- Rapid scalability
Coincover’s secure, non-custodial platform simplifies the key management process, reducing operational costs associated with extensive in-house infrastructure and personnel. As a result, custodians can protect their clients' assets, adhere to regulatory standards, and optimise resources, allowing them to concentrate on their core business activities.
Coincover also provides ongoing support and training, helping custodians stay up to date with industry developments and regulatory changes. It ensures that custodians can continue to scale their businesses while maintaining a high level of security and compliance, allowing them to adapt to the dynamic virtual asset landscape.
By partnering with Coincover, custodians can confidently ensure access to their clients' assets while adhering to the stringent guidelines set forth by VARA, providing an invaluable resource for navigating the complex regulatory landscape.