Chapter 6: Technology & Security Requirements
The SC’s Guidelines on Technology Risk Management and cybersecurity expectations are hard requirements. One major breach or outage can cost you the licence.
6.1 Core system capabilities
The minimal system puzzle of a compliant DAX:
flowchart TD
User[Users] --> Web[Web/App frontend]
Web --> API[API gateway + rate limit/WAF]
API --> Match[Matching engine]
API --> KYCsys[KYC/AML system]
Match --> Ledger[Ledger/asset system]
Ledger --> Hot[Hot wallet
small, auto deposit/withdraw] Ledger --> Cold[Cold wallet
bulk, offline multisig] API --> Monitor[Market surveillance/risk] All[Full stack] --> Log[Audit logs + SIEM]
small, auto deposit/withdraw] Ledger --> Cold[Cold wallet
bulk, offline multisig] API --> Monitor[Market surveillance/risk] All[Full stack] --> Log[Audit logs + SIEM]
Required modules:
- Matching engine: low-latency, auditable, fault-tolerant.
- Wallet system: hot/cold separation (below).
- Risk / market surveillance: anomaly, manipulation, wash-trading detection.
- KYC/AML integration (Chapter 5).
- Ledger & reconciliation: real-time view of client vs platform assets.
- Audit logs / SIEM: full, traceable records.
6.2 Wallets & key management
| Wallet | Use | Security |
|---|---|---|
| Hot | Daily auto deposits/withdrawals, small balance | Limits, multi-approval, real-time monitoring |
| Cold | The bulk of client assets, offline | Multisig / MPC, offline signing, physical isolation, split custody |
- Manage keys with HSM / MPC / multisig — no single point of control.
- Withdrawals need multi-person, multi-level approval and whitelists.
- Build Proof of Reserves capability for transparency and regulator trust.
6.3 Client-asset segregation & custody
- Client assets must be strictly segregated from platform assets (separate wallets, separate accounts).
- Self-custody must meet SC custody requirements; or partner with a licensed Digital Asset Custodian (DAC).
- Fiat goes into segregated trust / client accounts.
6.4 Cybersecurity baseline
- Defense in depth: WAF, DDoS protection, network segmentation, least privilege.
- Strong auth: 2FA/MFA for users, PAM for privileged internal access.
- Encryption: data in transit and at rest, tiered key management.
- Vulnerability management: regular scans, third-party penetration testing (often required by the SC).
- SOC / monitoring: 24×7 security operations and alerting.
- Secure SDLC: code review, dependency scanning.
6.5 Business continuity & DR (BCP/DR)
- Multi-site / backups, with explicit RTO / RPO targets.
- Regular drills of failover and recovery.
- Off-site backups with restore verification.
- Incident response plan (theft, outage, data breach handling and reporting).
6.6 Data residency & compliant deployment
- Assess data-localization requirements (PDPA, SC expectations).
- Cross-border transfers need a lawful basis and safeguards.
- Vendor risk assessment for third-party cloud/custody providers.
Summary / action items
- Design hot/cold wallet architecture with multisig/MPC + HSM.
- Implement client-asset segregation and custody (self or DAC).
- Build risk/market surveillance and full audit logging (SIEM).
- Arrange third-party pen-testing and vulnerability management.
- Build and drill BCP/DR and incident response.
- Define data residency and cross-border transfer compliance.
➡️ Next: Operations & Listing