Digital Assets Guidelines 2023

SUPERVISORY AND REGULATORY GUIDELINES: 2023 Digital Assets Issued: 12 December, 2023 DIGITAL ASSETS GUIDELINES, 2023 TABLE OF CONTENTS INTRODUCTION.......................................................................................................................................2 PURPOSE .................................................................................................................................................2 APPLICABILITY .........................................................................................................................................3 DEFINITIONS............................................................................................................................................3 GOVERNANCE AND RISK MANAGEMENT ...............................................................................................6 FORMS OF DIGITAL ASSET ENGAGEMENT ..............................................................................................7 PRUDENTIAL TREATMENT.......................................................................................................................9 CENTRAL BANK REPORTING REQUIREMENTS.......................................................................................14

Bank Supervision Department 2 INTRODUCTION

1. The Central Bank of The Bahamas (“the Central Bank”) is responsible for the licensing, regulation and supervision of supervised financial institutions (“SFIs”) operating in and from within The Bahamas pursuant to The Banks and Trust Companies Regulation Act, 2020 (“the BTCRA”) and the Central Bank of The Bahamas Act, 2020 (“the CBA”).
2. All SFIs are required to adhere to the Central Bank’s licensing, regulation and prudential requirements and ongoing supervisory programmes, including periodic on-site inspections, and required regulatory reporting. SFIs are also expected to conduct their affairs in conformity with all other Bahamian legal requirements. PURPOSE
3. These Guidelines provide an overview of the Central Bank’s expectations of SFIs that are exposed to digital asset activities. Digital assets are a diverse asset class with varying characteristics that in certain cases may resemble traditional financial assets such as bonds, equities, commodities and cash held in custody. The Central Bank subscribes to the philosophy of “same risk, same activity, and same treatment”1 . Therefore, the prudential treatment of digital assets is based on the risks that are associated with the underlying characteristics of these assets. Where there may exist additional risks posed by these assets, SFIs should ensure that the risks are promptly identified, measured, and mitigated.
4. The Central Bank endorses and incorporated the principles in the Basel Committee on Banking Supervision (“the Basel Committee”) Prudential treatment of cryptoasset exposures. 2 These Guidelines should be read in conjunction with: (a) The Bahamas Capital Regulations, 2022 (“the Capital Regulations”); (b) The Banks and Trust Companies (Acquisition of Shares) Regulations, 2005; (c) Capital Adequacy Guidelines; (d) Corporate Governance Guidelines; (e) AML/CFT Guidelines; (f) Large Exposures Guidelines; (g) Guidelines for the Management of Credit Risk; (h) Guidelines for the Management of Technology Risk; (i) Guidelines on Minimum Standards for the Outsourcing of Material Functions (“Outsourcing Guidelines”); and (j) Enterprise Risk Management Guidance Notes.

1 Adopted from Basel’s Cryptoasset Exposures Framework. 2 In this paper, the wording digital assets is used, which is the generic and wide classification that encompasses cryptoassets. The Basel paper on prudential treatment of cryptoasset exposures refers to cryptoassets, which is defined therein as private digital assets that depend on cryptography and distributed ledger or similar technology.

Bank Supervision Department 3 APPLICABILITY 5. These Guidelines apply, as appropriate, to all SFIs that are exposed to risks associated with digital asset business activities (also referred to herein as digital asset activities). This framework representsthe Central Bank’s identification of accepted best practices for effective risk management in SFIs. The Central Bank appreciates that the breadth of the risk management programme in each SFI will depend on the scope and sophistication of the activities of the SFI, the nature and complexity of its digital asset-related businesses activities, and the types and levels of the risks that it assumes. However, failure to adopt a satisfactory risk management programme appropriate to a SFI’s business activities, constitutes an unsafe and unsound practice and could subject the SFI to regulatory sanctions and/or other supervisory intervention measures. Where these Guidelines conflict with any requirements outlined by the Securities Commission of The Bahamas (“SCB”), jointly supervised entities should adopt the more conservative approach. These Guidelines do not apply to central bank digital currencies (“CBDCs”)3 . 6. As part of its ongoing off-site supervision, on-site examination and analysis programmes, the Central Bank will periodically conduct an evaluation of each SFI’s strategies, policies, procedures and the management of their business activities. Central Bank’s Regulations and Guidelines establish the standards against which each SFI’s risk management programme will be evaluated. DEFINITIONS 7. For the purpose of these Guidelines:- “Asset Token” means a digital asset that represents a claim against the issuer that – a) is intended to represent an asset and is embedded with underlying assets; or b) derives its value by reference to an underlying asset; or c) is secured by an underlying asset; or d) is backed by assets held as collateral for the primary purpose of encouraging price stability; “Central Bank Digital Currencies” or “CBDCs” are digitalised versions of fiat currency governed by the Bahamian Dollar Digital Currency Regulations, 2021; “Cryptographic key” is a unique identifier that allows the transfer of digital assets from one party to another; “Custody of Digital Assets” means any arrangement under which a person (custodian) is authorised to hold directly or indirectly a customer’s access keys, smart contracts or other forms of digital assets;

3 CBDCs are digitalised versions of fiat currency governed by Bahamian Dollar Digital Currency Regulations, 2021.

Bank Supervision Department 4 “Digital Asset” means a digital representation of value distributed through a distributed ledger technology (“DLT”) platform where value is embedded or in which there is a contractual right of use and includes without limitation digital tokens; “Digital Asset Business” 4 includes the business of – a) a digital token exchange; b) providing services related to a digital token exchange; c) operating as a payment service provider business utilising digital assets; d) operating as a digital asset service provider, including providing DLT platforms that facilitates – i. the exchange between digital assets and fiat currencies; ii. the exchange between one or more forms of digital assets; and iii. the transfer of digital assets; e) participation in and provision of financial services related to an issuer’s offer or sale of a digital asset; and f) any other activity which may be prescribed by regulations; “Digital Asset Services Provider” means a person that – a) under an agreement as part of its business – i. Can undertake a digital asset transaction on behalf of another person; or ii. Has power of attorney over another person’s digital asset; or b) operates as a market maker for digital assets; “Digital Tokens” include￾a) Virtual currency tokens b) Asset tokens c) Utility tokens d) Non-fungible tokens (“NFTs”); and e) Any other digital representation of value designated by SCB to be a digital token under the DARE Act, 2020; “Exposures” includes on and off balance sheet items that give rise to credit 5 , market, operational and/or liquidity risks; “Fiat Currency” means coins and notes of any jurisdiction that is designated by the issuing monetary authority or central bank of such country as a legal tender; “Initial Token Offering” or “ITO” means an offer by an issuer to the public for the sale of a digital token in exchange for fiat currency or another digital asset; “Issuer” means the entity contractually responsible for issuing the digital token; “Nodes” are typically participants (entities including individuals) in distributed ledger networks that record and share data across multiple data stores (or ledgers);

4 This definition is sourced from the DARE Act, 2020. 5 See Banks and Trust Companies (Large Exposures) (Amendment) Regulations, 2012.

Bank Supervision Department 5 “Non-fungible Token” means a unique digital token created for use in specific applications, which cannot be divided and is not interchangeable with other types of digital tokens; “Organiser” if different from the issuer, means a person who, acting alone or in conjunction with one or more other persons to procure the organisation and formation of an issuer and the promotion and issuance of digital assets through an initial token offering; “Operators” are typically a single administrative authority in charge of managing a digital asset arrangement, performing functions that may include issuing the centralised digital asset, establishing the rules for its use; maintaining a central payment ledger; and the redeeming, withdrawing from circulation, and burning of digital assets; “Person” means an individual; sole proprietorship; partnership; joint venture; foundation; trust; estate; business trust; company; corporation; fund; unincorporated association or organisation; sovereign government or agency; instrumentality, or political subdivision thereof; or any similar entity or organisation; “Redeemers” are entities responsible for exchanging the digital asset for the traditional asset; 6 “Reserve assets” or “reserves” means the assets backing the value of a stablecoin; “Traditional assets” are assets (e.g. money market instruments, stocks, and bonds) that are not classified as digital assets and can be converted into cash quickly; “Stablecoins” are asset tokens that aim to maintain a stable value relative to a specified asset, a pool or basket of assets; “Utility Token” means a right of access or a discount represented in binary format to an application, utility or service but which does not, directly or indirectly, provide the holders thereof with any of the following contractual or legal rights: a) Ownership or equity interest in the issuer or in any person or pool of assets; b) Entitlement to share of profits, losses, assets or liabilities of the issuer or any other person or pool of assets, except in the event of the liquidation of the issuer, to receive a portion of the original subscription price paid at the time of the initial token offering; c) Legal status as a creditor; or d) Entitlement to receive distribution of profits, revenues, assets, or other distributions from the issuer or any other person or pool of assets; “Validators” are entities that commit transactions blocks to the distributed ledger network; and “Virtual Currency Token” means a digital representation of value, which can be digitally traded and functions as a (i) medium of exchange, (ii) unit of account, or (iii) store of value

6 The redeemer does not necessarily need to be the same as the entity responsible for organising the issuance of the digital asset.

Bank Supervision Department 6 that is not a digital currency and does not have legal tender status or carry any security or guarantee in any jurisdiction. 7 GOVERNANCE AND RISK MANAGEMENT 8. Senior management of SFIs should ensure that the Board has granted approval prior to engaging in digital asset activities and that the appropriate risk management framework is in place. SFIs must comprehensively assess the full range of risks associated with the type and magnitude of digital asset activities, inclusive of liquidity; credit; market; operational; money laundering, terrorist & proliferation financing, legal , reputation and risks related to financial crimes . 9. Senior Management should be actively involved in reviewing and signing off on the risk assessment framework for any planned direct business exposure to digital assets and should ensure that : (i) appropriate due diligence is conducted and periodically risk assessments are completed; (ii) risk assessments are not limited to new risks, but also include assessments on new activities and how they would impact existing operational risk assessments and whether existing internal controls should be modified to accommodate any changes; and (iii) appropriate risk management controls are applied with clear accountability and reporting processes. 10. The risk management framework governing digital assets exposuresshould be fully integrated into the overall risk management processes. Any increase in risks posed by digital assets exposure should be captured and effectively incorporated into SFIs’ Internal Capital Adequacy Assessment Process (“ICAAP”). In carrying out digital asset activities, SFIs must comply with the obligations imposed by the AML/CFT laws of The Bahamas as well as the Central Bank’s revised Guidelines on the Prevention of Money Laundering & Countering the Financing of Terrorism. 11. SFIs should also ensure that customers are adequately informed of the fundamental benefits, risks and terms of the products. This could take the form of a brief notice8 issued to clients to increase customer awareness; thus helping to ensure that risks are aligned to clients’ documented goals and risk appetites. 12. Depending on the digital assets activity exposure, SFIs should mitigate any number of risks inherent to supporting technology used to conduct business. Moreover, SFIs should also consider frequent maintenance, monitoring, and reviewing of the technology and the associated risks. SFIs should refer to the Technology Risk Management Guidelines to ensure that their risk management frameworks sufficiently mitigate any cyber risks.

7 This definition is sourced from the DARE Act, 2020. As of June 2021, El Salvador instituted Bitcoin as legal tender. Nevertheless, Bitcoin and other similar digital assets that might attain legal tender status would be categorised as virtual currency tokens for regulatory purposes. 8 SFIs can determine other forms of notice to their clients.

Bank Supervision Department 7 FORMS OF DIGITAL ASSET ENGAGEMENT 13. SFIs are not restricted from offering traditional financial services to digital asset businesses. However, the Central Bank reserves the right to impose additional requirements with respect to SFIs’ digital asset business activities. The following forms of digital asset activities govern the Central Bank’s notification requirements and expectations: i) Issuing Digital Tokens; ii) Doing business as a digital asset service provider; iii) Outsourcing business to a digital asset service provider; and iv) Doing business on behalf of clients investing in digital assets. Issuing Digital Tokens 14. SFIs are required to notify the Central Bank prior to engaging in ITOs. 9 15. As SFIs have successfully raised funds through initial public share offerings in the past, they are permitted to issue ITOs for asset tokens, non-fungible tokens, and utility tokens that have similar properties as shares or that have some other underlying value. Conversely, direct issuance of non-fiat linked virtual currency tokens is not permitted. 16. Where ITOs have the potential to create an ownership interest within the SFI, the SFIs must first apply to the Central Bank for approval before issuance. Where five percent or more of the issued share capital of a publicly traded SFI is held or acquired through tokens, SFIs shall, within 28 days of the acquisition, notify the Central Bank and comply with all other reporting requirements under the Banks and Trust Companies (Acquisition of Shares) Regulations, 2005.10 Furthermore, the Central Bank’s dividend payment policies remain applicable to tokenised shares as with traditional shares. 17. Notwithstanding SCB’s regulatory oversight for ITOs and digital asset exchanges, the Central Bank will monitor SFIs’ digital asset exposures, for prudential and exchange control purposes. Doing Business as a Digital Asset Service Provider 18. In doing business as a Digital Asset Service Provider, SFIs are expected to perform a risk assessment in addition to notifying the Central Bank, no later than ten business days before establishing such operations. This ensures that SFIs have considered the risks as well as how the exposures align with their respective risk appetites and business models. The Central Bank

9 In reviewing proposals to act as an issuer or organiser of ITOs, the Central Bank will determine whether the offering would meet the definition, and satisfy the requirement of a sanctioned instrument under the PSA, or be subject to any regulatory oversight criteria that the SCB may establish. 10 Under these Regulations, an exemption is extended in the case of publicly traded SFIs, where the issued share capital of a publicly traded SFI is to be acquired by a single person or a group of persons acting together, and the aggregate holdings of such person or persons does not exceed five per cent of the issued share capital of the publicly traded SFI.

Bank Supervision Department 8 may also require more formal discussions with senior management. Additional factors that may impact these requirements are the SFI’s existing reporting requirements, profitability, and capital adequacy. Outsourcing Business to Digital Assets Service Providers 19. SFIs are also required to notify the Central Bank prior to outsourcing activities to Digital Assets Service Providers. SFIs should communicate the details of the relationship, review and verify the governance and activities of the digital asset service provider, and ensure that the entity has the proper risk management framework to mitigate any risks that could materialise from third party or outsourcing arrangements. Any additional requirements would depend on the SFI’s existing reporting requirements, profitability, and capital adequacy. Further, it is the duty of the SFI to comply with the provisions in accordance with the Outsourcing Guidelines. Doing Business on behalf of clients investing in digital assets 20. SFIs that offer services to clients who are investing in digital assets are not required to notify the Central Bank. This form of digital asset activity is broad, and can range from digital assets custody, exchange, and financing purchases. SFIs may accept cryptographic keys from clients to keep in custodial arrangements. However, SFIs should ensure that private keys and other necessary data are securely stored; and ensure the ongoing availability of assets held under custody. 21. Authorised Dealers and Agents are SFIs deemed “resident” for Exchange Control purposes that can facilitate purchases and sales of digital assets on behalf of residents through the Investment Currency Market (“ICM”). SFIs deemed “non-resident” for exchange control purposes can facilitate such activities by “non-residents” free of exchange control restrictions. Nevertheless, SFIs designated as an Authorised Dealers or Agents can only facilitate digital assets transactions or maintain trading portfolios on behalf of clients categorised as “residents”, after they have obtained Exchange Control approval to do so. 22. Whether by credit card or direct use of foreign exchange, only Authorised Dealers are permitted to supply foreign exchange for foreign portfolio investments, inclusive of digital assets. 23. When onboarding new clients for digital asset custodial services, SFIs should undertake enhanced due diligence (“EDD”) to ascertain the source of funds used to acquire the digital assets and the origination of the assets. SFIs should also obtain a list of beneficiaries and signatories on the custody account. SFIs facilitating digital custody should require that the client provide any combination of their public key, or wallet address, as necessary, to identify the beneficial owner of the digital asset. 24. SFIs must maintain adequate accounting and other relevant records, adequate systems and controls to accurately track ownership and quantity of client digital assets; and maintain appropriate business continuity processes, procedures and controls. 25. SFIs must not accept virtual currency tokens or other digital assets as deposit liabilities on their balance sheets. There is no prohibition against extending credit to clients for the purchase of digital assets, however, SFIs must ensure that the collateral for such credit, in the

Bank Supervision Department 9 event of default, do not deviate from the acceptable forms of assets or securities that they are directly permitted to hold on their balance sheet. 26. It should also be noted that the preceding forms of digital asset activity are not mutually exclusive. SFIs may engage in these activities simultaneously. Where SFIs are exposed to more than one form of digital asset activity they are expected to establish additional controls where appropriate. PRUDENTIAL TREATMENT Prudential Classification Conditions 27. Given the diversity of digital assets and the varying levels of decentralisation that exist within the digital assets ecosystem, the prudential treatment shall be based on the characteristics of the assets and not simply their terminologies. The Central Bank has adopted a broad-based approach for the appropriate guidance to promote safety and soundness. For prudential purposes, digital assets are divided into three separate categories: Group 1a, Group 1b, and Group 2 digital assets. Group 1a digital assets include tokenised traditional assets that meet all the classification conditions. Group 1b digital assets include stablecoins that meet all the classification conditions. Group 2 digital assets include all other digital assets (i.e. tokenised traditional assets, stablecoins and unbacked digital assets) that fail to meet the classification conditions. 28. To qualify for treatment as a Group 1 (1a and 1b) digital asset, the following four classification conditions must be satisfied on an ongoing basis: i) Classification Condition 1: The asset is either: (i) a tokenised traditional asset; or (ii) has a stabilisation mechanism that is effective at all times in linking its value to a traditional asset or a pool of traditional assets (i.e. reference asset(s)); ii) Classification Condition 2: All rights, obligations and interests arising from the digital asset arrangement are clearly defined and legally enforceable in all the jurisdictions where the asset is issued and redeemed. In addition, the applicable legal framework(s) ensure(s) settlement finality; iii) Classification Condition 3: The functions of the asset and the network on which it operates, including the distributed ledger or similar technology on which it is based, are designed and operated to sufficiently mitigate and manage any material risks; and iv) Classification Condition 4: Entities that execute redemptions, transfers, storage or settlement finality of the digital asset, or manage or invest reserve assets, are regulated and supervised, and subject to appropriate risk management standards. 29. Tokenised traditional assets will only meet Classification Condition 1, if they satisfy the following requirements: i) They are digital representations of traditional assets using cryptography, DLT or similar technology to record ownership; ii) They pose the same level of credit and market risk as the traditional form of the asset;

Bank Supervision Department 10 iii) They do not need to be first redeemed or converted into traditional assets before they receive the same legal rights as direct ownership of traditional assets; and iv) Through their specific construction, they do not involve additional counterparty credit risks relative to traditional assets. 30. Digital assets that have a stabilisation mechanism will only meet Classification Condition 1 if the digital asset is designed to be redeemable for a predefined amount of a reference asset or assets (e.g. 1 USD, 1 oz. gold) or cash equal to the current market value of the reference asset(s) (e.g. USD value of 1 oz. gold). The value of the reference asset(s) to which one unit of the digital asset is designed to be redeemable is referred to as the “peg value”. 31. The stabilisation mechanism must be designed to minimise fluctuations in the market value of the digital assets relative to the peg value. In order to satisfy the “effective at all times” condition, SFIs must have a monitoring framework in place verifying that the stabilisation mechanism is functioning as intended. 32. The stabilisation mechanism must enable risk management similar to the risk management of traditional assets, based on sufficient data or experience. For newly established digital assets, evidence must be provided to satisfy the Central Bank of the effectiveness of the stabilisation mechanism, including composition, valuation and frequency of valuation of the reserve asset(s) and the quality of available data. 33. SFIs should ensure that there exists sufficient information to verify the ownership rights of the reserve assets upon which the stable value of the digital asset is dependent. In the case of underlying physical assets, SFIs must verify that these assets are stored and managed appropriately. This monitoring framework must function regardless of the digital asset issuer. SFIs may use the assessments of independent third parties for the purposes of verification of ownership rights, only if they are satisfied that the assessments are reliable. Stabilisation mechanisms that reference other digital assets as underlying assets (including those that reference other digital assets that have underlying traditional assets or use protocols to increase or decrease the supply of the digital asset) will be classified as Group 2 digital assets. 34. SFIs should ensure that the digital asset passes the redemption risk test. The objective of the redemption risk test is to ensure that the reserve assets are sufficient to enable the digital assets to be redeemable at all times for the peg value, including during periods of extreme stress. To pass the redemption risk test, SFIs must ensure that the digital assets arrangement meets the following conditions: a. Value and composition of the reserves assets. Value and composition of reserve assets. The value of the reserve assets (net all non-digital asset claims on these assets) must at all times, including during periods of extreme stress, equal or exceed the aggregate peg value of all outstanding digital assets. If the reserve assets expose the holder to risk in addition to the risks arising from the reference assets, the value of the reserve assets must sufficiently over collateralise the redemption rights of all outstanding digital assets. The level of overcollateralisation must be sufficient to ensure that even after stressed losses are incurred on the reserve assets, their value exceeds the aggregate value of the peg of all outstanding digital assets.

Bank Supervision Department 11 b. Asset quality and criteria for reserve assets. For digital assets that are pegged to one or more currencies, the reserve assets must be comprised of assets with minimal market and credit risk. The assets shall be capable of being liquidated rapidly with minimal adverse price effect. For example, these assets may be defined as Level 1 HQLA. Further, reserve assets must be denominated in the same currency or currencies in the same ratios as the currencies used for the peg value. A de minimis portion of the reserve assets may be held in a currency other than the currencies used for the peg value, provided that the holding of such currency is necessary for the operation of the digital asset arrangement and all currency mismatch risk between the reserve assets and peg value has been appropriately hedged. c. Management of the Reserves. The governance arrangements relating to the management of reserve assets must be comprehensive and transparent. They must ensure that: i. The reserve assets are managed and invested with an explicit legally enforceable objective of ensuring that all digital assets can be redeemed promptly at the peg value, including under periods of extreme stress. ii. A robust operational risk and resilience framework exists to ensure the availability and safe custody of the reserve assets. iii. A mandate that describes the types of assets that may be included in the reserve must be publicly disclosed and kept up to date. iv. The composition and value of the reserve assets are publicly disclosed on a regular basis. The value must be disclosed at least daily and the composition must be disclosed at least weekly. v. The reserve assets are subject to an independent external audit at least annually to confirm they match the disclosed reserves and are consistent with the mandate. 35. SFIs, annually or more frequently, are responsible for: (i) assessing whether a digital asset is compliant with the classification conditions; and (ii) demonstrating to supervisors how a digital asset fulfils these conditions. Thus, SFIs should have in place the appropriate risk management policies, procedures, governance, human, and IT capacities to evaluate the risks of engaging in digital asset business and implement these accordingly on an ongoing basis and in accordance with internationally accepted standards. Prudential Risks 36. In addition to identifying the risks involved with the infrastructure of digital asset arrangements and applying effective risk management frameworks to manage such risks, digital assets also receive specific prudential risk treatment. Following an assessment of the risks involved in these assets, the Central Bank expects SFIs to incorporate best practices and maintain high standards including instances where digital assets have similar characteristics as traditional assets. Infrastructure Risk-Add on 37. Group 1 digital assets are incorporated into the existing regulatory framework since these assets are deemed lower risk than Group 2 digital assets. As digital assets technology

Bank Supervision Department 12 continues to evolve, unforeseen risks inherent with DLTs or similar technology could crystallise; therefore SFIs would be able to apply an add-on to the capital requirement for exposures to Group 1. The infrastructure risk add-on is set to zero and the Central Bank reserves the right to apply an add-on to the capital requirement for exposures to Group 1 digital assets based on any observed weakness. Credit Risk11 38. SFIs should ensure that their credit risk frameworks adequately capture any underlying risks that could increase the likelihood of default based on the characteristics of the digital assets. With regards to recognising Group 1 digital assets as collateral, SFIs must separately assess these assets which are not permitted to be recognised as eligible collateral under the Capital Regulations, 2022. 39. Additionally for lending exposures to Group 2 digital assets a direct deduction from Common Equity Tier 1 (“CET1”) capital or a risk weight of 100 per cent is required. Where SFIs wish to extend loans for the purchase of digital asset exchange traded funds (“ETFs”), these loans should be backed by cash or other low-risk asset. Such loans shall be considered higher risk with risk weights that ranges from 75 per cent to 100 per cent, depending on the underlying assets of the digital asset ETF. Specifically, the risk weights to be applied are dependent on whether the ETF is comprised mainly of Group 1 digital assets or Group 2 digital assets. Liquidity Risk 40. Due to the risks associated with the settlement of certain digital assets, stringent liquidity standards will apply. Notwithstanding the similarities that tokenised traditional assets may share across different prudential risk types, there may be instances where the redemption timeframe of a digital asset may exceed that of a traditional asset. Thus, digital assets will not be included in the stock of high quality liquid assets (“HQLA”) under the Liquidity Coverage Ratio (“LCR”). Digital assets are not considered readily accessible to meet obligations that are coming due. By implication, no category of digital assets would be eligible to meet reserve requirements or liquid assets requirements. Market Risk 41. There is no separate trading book and banking book treatment for Group 2 digital assets. For Group 2 digital assets exposures, a risk weight of 1,250% is applied to the greater of the absolute value of the aggregate long positions and the absolute value of the aggregate short positions to which the SFI is exposed: Risk Weighted Assets = Risk Weight x max [abs (long), abs (short)] 42. SFIs are required to disclose the methodology related to their asset valuation calculations and, when possible, use recognised benchmarks or observable, bona fide, arms-length market transactions. The Central Bank expects that SFIs’ risk management policies and procedures will be commensurate with the risks associated with direct and indirect exposure to digital

11 Payment service providers, however, are prohibited from offering lending services.

Bank Supervision Department 13 assets. Changes in the risk profile of the digital asset portfolio should be incorporated in SFIs’ ICAAP to determine if additional adjustments are needed to CET1 capital. The Central Bank reserves the right to place restrictions on an SFI’s digital asset activity or to require that it liquidate such investments. Exposure Limits 43. SFIs shall comply at all times with the exposure limits established in the Large Exposure Guidelines12 , for the purpose of measuring and controlling its exposure to Group 1 digital assets. The exposure measure assigned for group one digital assets is reported as the exposure value of the underlying asset, or the asset to which the digital asset is pegged. 13 44. Additionally, a SFI’s exposure, in aggregate, to Group 2 digital assets may not exceed two percent of the SFI’s eligible capital base. The aggregate exposure measure is equal to the total gross exposure value, with no netting or recognition of diversification benefits, and includes both direct holdings (cash and derivatives), and indirect holdings (i.e. those via investment funds, exchange traded funds / exchange traded notes, and special purpose vehicles). Operational Risk 45. The operational risk resulting from digital asset activities should generally be captured by the operational risk standardised approach through the Business Indicator – which should include income and expenses resulting from activities relating to digital assets – and through the Internal Loss Multiplier – which should include the operational losses resulting from these activities. To the extent that operational risks relating to digital assets are insufficiently captured by the minimum capital requirements for operational risk and by the internal risk management processes, SFIs should take appropriate steps to safeguard capital adequacy and promote sufficient resilience. Leverage Ratio 46. Digital assets are included in the leverage ratio exposure measure according to their value for financial reporting purposes, based on applicable accounting treatment for exposures that have similar characteristics. For cases where the digital asset exposure is an off-balance sheet item, the relevant credit conversion factors set out in the Fourth Schedule of the Capital Regulations, 2022 will apply in calculating the exposure measure. 47. For Group 1b digital assets/stablecoins, where the SFI is involved in the digital asset network14 as a member who is able to deal directly with the redeemer and has promised to purchase digital assets from non-member holders, the member also needs to include the total current

12 Digital Assets that do not present risk of default (e.g. digital representation of gold, cash, and certificates of deposit) are exempted from large exposure requirements. 13 Where a digital asset comprises of a pool of underlying assets, the SFI must look-through the pool to identify its exposure to each of the underlying assets. 14 (See 60.17, 60.36, 60.37, and 60.114 (bis.org))

Bank Supervision Department 14 value of all the off-balance sheet digital assets that the SFI could be obliged to purchase from holders. CENTRAL BANK REPORTING REQUIREMENTS 48. The reporting requirements for SFIs’ exposures to digital assets or related activities should follow the five general guiding principles for disclosures set out in the Basel Framework. 15 According to the Basel Committee’s, disclosures should be: i. Clear; ii. Comprehensive; iii. Meaningful to users; iv. Consistent over time; and v. Comparable across banks. 49. In addition to quantitative information, SFIs must provide qualitative information that sets out an overview of their digital asset activities and the main risks related to their digital asset exposures, including descriptions of: i) Business activities related to digital assets, and how these business activities translate into components of the risk profile of the SFI; ii) Risk management policies of the SFI related to digital asset exposures; iii) Scope and main content of the SFI’s reporting related to digital assets; and iv) Most significant current and emerging risks relating to digital assets and how those risks are managed. 50. Notwithstanding the less conservative treatment for Group 1 digital assets in general, SFIs are expected to report all digital asset exposures separately from traditional asset classes. SFIs are also required to advise the Central Bank of any material digital asset exposures on a regular basis, including for each specific type of digital asset exposure information on: i) The direct and indirect exposure amounts (including the gross long and short components of net exposures); ii) The capital requirements; and iii) The accounting classification. 51. In addition to the separate disclosure requirements set out above that apply to all Group 1 and Group 2 digital assets, SFIs must include exposures to Group 1 digital assets in the relevant existing ERS forms that apply to traditional assets (e.g. for credit risk and market risk).

15 (DIS10 – Disclosure Requirements)