The final operational pillar that supports institutionalization of the Virtual Assets industry is governance. VASPs are often fast growing, technology driven, and agile organizations. Therefore, it is critical to implement robust governance structures for sustainable operations. Strong internal governance helps with oversight and policing of internal processes and policies.
Similar to traditional FS organizations, a robust governance infrastructure should have ‘three lines of defense’. A first line would be implementing management and internal controls; a second strengthening security, financial controls, risk mitigation, and inspection and compliance obligations; and a third would both internal and independent audits.
Here are some factors to consider within these areas:
- Experienced leadership: VASPs must have experienced risk and compliance senior management in place, be aware of the risks to the business, and how they are to be managed.
- Governance bodies: VASPs need a governance body, as well as a risk and audit committee, to help implement robust risk management, compliance, and internal control functions. This includes setting up a board and committees, defining the organization’s values, and establishing a risk culture to drive and reward the right behaviors.
- Third party risk mitigation: Given the digital-first nature of VASPs, they often rely on third parties to enable certain functions. This outsourcing needs to be clearly included in the governance framework and controls. This requires robust vendor management, thorough due diligence of the vendor, and regular reviews of performance.
- Information control: VASPs should consider the risks and controls around disclosure of information, especially around the handling and safekeeping of customers’ assets. VASPs need to explain to their customers relevant aspects of their operations to establish trust and confidence, without introducing risk by over-disclosing operational secrets.
- Relationship management: Fast and effective responses to customer enquiries are critical, as is more formalized interaction with major stakeholders and regulators.
- Insider risk management: A major risk often comes from those working in, or close to the organization, and their access to privileged information. For example, hacks can involve collusion and interpersonal behavior. Therefore, it is critical that people have strongly separated duties, clear responsibilities, and the necessary competences to execute their work. Organizations should establish internal audit and whistle-blower functions. The operational team should include members with different backgrounds and areas of expertise. VASPs need to foster collaborative environments in which compliance and risk-focused roles work together.
Automation technology is a significant way to help organizations effectively manage risk and operational controls as they scale. VASPs often use automation for system scans, trading balance audits, and transaction monitoring.
However, it is important to make sure the automation tools are set up to act independently and flawlessly. This requires robust specification documents, rigorous test results, and diligent Software Development Lifecycle (SDLC) governance. This also helps regulators and institutional investors to trust the processes.
Institutional investors and regulators will want assurance on the accuracy of automation controls. Professional services organizations can perform an independent assessment, in addition to the assessment performed by regulators.