Vendors will be required to demonstrate that involved employees have been properly researched, and that they have the experience and training to accomplish required tasks. Given the novel challenges of a virtual currency, sufficient training must be in place. These requirements will be continuous, with periodic review.
The client base of the vendor implies a KYC type of requirement. The number of clients, clients’ crypto holdings by value and distribution, and the total exposure of the vendor must be described. Whether clients are large or small financial institutions, or individuals, their organizations and business practices are important. Some of these may be subject to regulations under the Bank Secrecy Act or other AML rules regarding money transfer, including the $10,000 limit, and appropriate reporting is required. In all cases, the natural persons controlling the ‘client’ must be known.
Vendors should have policies and procedures in place that are sufficient to manage client accounts. Segregation of every client/crypto combination is important, with separate, unique private keys created for each. These accounts will vary in the number of distinct stores of crypto by value, how private keys are assigned to accounts, and how they are accessed when under possession of the vendor. Very specific rules should be in place to govern withdrawals and other transactions, as described above.