Lightweight And Comprehensive Cryptocurrency Exchange Framework
Typical securities frameworks will cost Canadians millions of dollars.
Implementation costs of our proposed framework are significantly cheaper.
The framework was developed through an in-depth multi-year case study of 831 past exchange hack/scam/fraud events.
It prevents all historic cases where funds were lost in cryptocurrency exchanges.
We can maintain a diverse set of exchange platforms, keep small platforms we know and love, and encourage innovation while keeping Canadians safe.
This framework fully protects Canadians traders and fully supports innovation.
SARBANES-OXLEY | $5M USD / YEAR / FIRM
THREE KEY ELEMENTS
Effective standards to prevent both internal and external theft. Platform operators are trained and certified, and have a legal responsibility to users.
Regular Transparent Reviews
Provides visibility to Canadians that their funds are fully backed on the platform, while protecting privacy and sensitive platform information.
Proper Multi-Signature Storage
Private keys of cold storage customer funds are held by "signatories". A signatory is a unique, background-checked individual, who has responsibilities over user assets. Signatories are trained and certified through a course covering (1) past hacking and fraud cases, (2) secure key generation, and (3) proper safekeeping of keys. Keys must be generated and stored 100% offline.
All cold storage customer funds must be stored in established multi-signature wallet setups. Each private key is the legal responsibility of one signatory. Allowed combinations are 3of4, 3of5, 3of6, 4of5, 4of6, 4of7, 5of6, or 5of7. Each multi-signature setup should contain hardware from at least two fully unique manufacturing supply chains, be tested prior to use, and such setups existed for over a year.
Signing of transactions must take place with all signatories on Canadian soil or on the soil of a country which agrees and is able to uphold and support these rules. A white-list of approved countries is expanded over time. If a private key is ever breached or suspected to be breached, signatories have the legal responsibility to regenerate a new wallet and relocate all funds.
A security assessment will be conducted whenever a new cold storage wallet is constructed. This is done by a validator (see below) who validates the cold wallet is set up correctly. A key purpose is to ensure that all signatories are acting independently, are in full control of their key, and that withdrawals were tested. A report summarizing the assessment will be made public.
There is an approval process if signatories wish to visit non-compliant countries. At most 2 signatories can be outside of aligned jurisdiction at any given time. Exchanges located in non-compliant countries would be required to keep a separate cold wallet for Canadian funds within a Canadian office if they wish to serve Canadian customers.
Transparent Solvency Reviews
Reputable individuals and organizations in Canada serve as validators, assessing platforms multi-signature compliance and asset backing. Validators achieve tiers. A tier 1 validator has the approval of 3 insurance fund members (see section 3 below). Higher tiers are granted based on performing multiple reviews, time as a reviewer, and other credentials/training in accounting and security.
A platform must conduct two separate validations at founding, one after 3 months of operation, and at least one every 6 months thereafter to compare customer balances against all stored cryptocurrency and fiat balances. The validator will be known, approved, independent, and never repeat within a 14-month period. Platforms with higher total assets will require annual reviews from higher tier validators.
Each validator publishes a report with their background, assessment, and steps conducted in a readable format. (ie.SOC III or CipherBlade.) This is made available on the exchange website, the validator's website, and a government website. The report includes the percentage of each customer asset backing and how those funds were validated. It includes proof of ownership for any wallets.
Based on the account information provided, the validator will produce a public "hash list" with an entry for each customer. Each entry contains verifiably unique information (for example, partial email or string provided by customer) and included balance information, hashed with a salt. Customers can hash their information and find it on the list to have certainty that their full balance was provided to the validator.
Validators should be paid upfront for their services, and are required to assess honestly. Financial rewards are available for whistleblowing any attempt to bribe or coerce the validation process, as well as the finding of critical vulnerabilities. These rewards are assessed from the discretionary insurance fund (covered below).
Comprehensive Insurance Fund
Through coordination of industry and regulators, establish a collective insurance fund. The objective and mandate of this fund is to protect Canadian cryptocurrency platform users. The fund has full authority to cover losses related to insolvency, fraud, hacking, theft, and other cases at its discretion, however does not cover losses related to market price changes.
The insurance fund is managed by a council of 7 signatories, each representing a separate platform or organization. Crypto-asset funds (bitcoin, ethereum) are held in a 4 of 7 multi-signature wallet. Fiat funds are held in a legal structure constituting a similar voting mechanism for release of funds. Should a council member resign or lose capacity, a majority vote (4 or more) is used to establish a replacement and recreate wallets.
Platforms pay premiums proportional to their customer assets, with higher rates for balances not secured in cold storage, and double rate for assets other than bitcoin, ethereum, and CAD. 50% become "platform fund" which is specific to each platform, and 50% become "discretionary fund" which is collective to all platforms. Additional coverage may be obtained through industry underwriters at the discretion of council members.
Breaches/losses require the endorsement of one council member or a petition of 100 Canadian signatures to be considered. The council has discretion to disburse funds through the platform, bankruptcy proceedings, or separately to affected users directly. All decisions require a 4 of 7 majority vote. Council members determine the portion of the fund which will be allocated to assist and any cap that may apply.
In general, platform funds are available quickly unless fraud is suspected, once reporting and mitigation is performed. Discretionary funds are available when losses exceed or aren't covered by platform funds. They may also be used for additional third-party insurance to cover common events or to pay whistleblower/bug bounty rewards, governed by the 4 of 7 vote.
We are calling on regulators, Canadian crypto users, and exchange platforms to provide feedback and support for our proposal.
Please join our discussion and help us build a future that works for everyone and that we can all be excited about.