The Office of the SEC of Thailand (“SEC”) has issued regulations, having effect since 16 January 2023, requiring digital asset business operators that have custody of customers’ digital assets to have the system of the digital asset wallet management to store digital assets and cryptographic keys (“Keys”). This is to facilitate efficient custody and assure the safety of clients’ assets because the Keys and data are tools for approval of transfers and transactions of the digital assets in the digital wallets.
The regulations appear in recent Notifications of the SEC, including the guidelines, conditions, and means of digital asset business operation, and the Notification concerning the details of the digital wallets and keys management system, which have their core requirements as follows:
1. Policy and practice related to system monitoring and management of the digital assets custody
Policy: The digital asset business operators shall have policy in writing approved by the SEC which has at least 2 main points including, firstly, risk management of the digital assets custody which is consistent to the company’s policy and enterprise risk covering the risk identification, risk assessment, risk control, and secondly, system management related to custody of digital assets, regarding design, development, and management of the digital assets wallets.
Practice: The digital asset business operators shall provide system management and monitoring of the digital assets custody to be pursuant to the policy relevant to the risk and system management.
2. System management related to the digital assets custody
The digital asset business operators shall have policy and process in the system management of the digital assets custody. In case that the operation of the business relates to creation, maintenance, or access of keys, original data, or other data, the digital asset business operators shall provide the policy and process in system management of the digital assets custody in such operations of the business.
3. Management of the incident which potentially affects the digital assets custody system
The digital asset business operators shall have the incident management, in a case that the incident could possibly affect the digital assets custody system by complying with the guidelines as follows:
1. setting steps, procedures, and person(s), in charge of, the incident management;
2. conducting once-a-year testing on steps and procedures of the incident management;
3. Reporting the incident that potentially affects the digital assets custody system to the person(s) in charge and the SEC in due course;
4. In the event that the incident considerably affects the stability and the security of the digital assets custody system, the digital asset business operators shall procure with an independent expert, having accreditations or certifications, to conduct investigation on the stability and security of the digital assets custody system and the digital forensic investigation;
5. Submitting the expert’s report of the investigations in accordance with (4.) to the SEC; and
6. Preparing corrective action plans and preventive measurements and propose them to the SEC.
In addition, pursuant to the transitional provisions, digital asset business operators who had provided custody of clients’ assets prior to the effective date of the regulations are required to fully comply with the regulations within six months as from the effective date.