Recommendation 1: Common standards of regulatory outcomes

Regulators are called on to use their existing regulatory framework or to develop new frameworks to regulate and oversee cryptoassets trading, other cryptoassets services and the issuing, marketing and selling of cryptoassets in line with IOSCO's objectives and principles of securities regulation and relevant supporting materials, seeking to achieve regulatory outcomes for investor protection and market integrity that are the same or aligned to those that are required in traditional financial markets. 

Recommendation 2: Organisational governance

Regulators should require CASPs to have effective governance and organisational arrangements including systems, policies and procedures to address conflicts of interests, including those arising from different activities undertaken, and services provided by a CASP or its affiliated entities.  Regulators should consider having the tools to require legal disaggregation and separate registration and regulation of certain activities and functions if conflicts cannot be effectively mitigated.

Recommendation 3: Disclosure of role, capacity and trading conflicts

Regulators should require a CASP to disclose each role and capacity in which it acts.

Recommendation 4: Client order handling

Regulators should require CASPs, when acting as an agent, to handle all client orders fairly and equitably and should have in place systems, policies and procedures to ensure the fair and expeditious execution of client orders and restrictions on front running client orders.  Clients and prospective clients should receive details of systems, policies and procedures as relevant.

Recommendation 5: Market operation requirements

Regulators should require a CASP that operates a market or acts as an intermediary to provide pre- and post-trade disclosures.

Recommendation 6: Admission to trading

Regulators should require CASPs to establish, maintain and appropriately disclose to the public their standards for listing and admitting cryptoassets to trading on their markets (and their standards for removing cryptoassets from trading).

Recommendation 7: Management of primary markets conflicts

Regulators should require a CASP to manage and mitigate conflicts of interest relating to the issuance, trading and listing of cryptoassets.

Recommendation 8: Fraud and market abuse

Regulators should take enforcement action against offences involving fraud and market abuse in cryptoasset markets.

Recommendation 9: Market surveillance

Regulators should apply market surveillance requirements to each CASP to mitigate market abuse risks.

Recommendation 10: Management of material non-public information

Regulators should require a CASP to have systems, policies and procedures in place regarding the management of material non-public information.

Recommendation 11: Enhanced regulatory cooperation

In recognition of the cross-border nature of cryptoassets issuance, trading and other activities, regulators should be able to share information and cooperate with regulators and relevant authorities in other jurisdiction in relation to such activities. 

Recommendation 12: Overarching custody recommendation

Regulators should apply IOSCO's recommendations regarding the protection of client assets when considering the application of existing or new frameworks to CASPs that undertake custody activities.

Recommendation 13: Segregation and handling of client monies and assets

Regulators should require a CASP to place client assets in trust, or to otherwise segregate them from the CASP's proprietary assets.

Recommendation 14: Disclosure of custody and safekeeping arrangements

Regulators should require a CASP to disclose to a client how client assets are held and arrangements for safeguarding assets and/or private keys, the use of other custodians, the use of aggregation or pooling and risks attached, the CASP's obligations and responsibilities relating to the use of client assets as well as private keys and terms for their restitution and the risks involved.

Recommendation 15: Client asset reconciliation and independent assurance

Regulators should require a CASP to have systems, policies and procedures to undertake regular and frequent reconciliations of client assets subject to appropriate independent assurance.

Recommendation 16: Securing client money and assets

Regulators should require a CASP to adopt appropriate systems, policies and procedures to mitigate the risk of loss, theft or inaccessibility of client assets.

Recommendation 17: Management and disclosure of operational and technological risks

Regulators should require a CASP to comply with operational and technology risk and resilience requirements in accordance with IOSCO's recommendations and standards. CASPs should be required to disclose all material sources of operational and technological risks and have appropriate risk management frameworks to manage and mitigate such risks.

Recommendation 18: Retail client appropriateness and disclosure

Regulators should require a CASP to operate in way that is consistent with IOSCO's standards when interacting and dealing with retail clients. CASPs should be required to implement adequate systems, policies and procedures and disclosure in relation to onboarding new clients and as part of their ongoing business with existing clients. This should include an assessment of the appropriateness and/or suitability of particular cryptoasset products and services offered to each retail client.