Custody Policy - EEA
Updated: 21 March 2025
1. Purpose and Scope
OKCOIN EUROPE LTD (the “Company”) is a private limited liability company incorporated and registered in Malta under company registration number C88193, with its registered office at 66A, The Strand, Sliema SLM 1022 (the “Company”). The Company operates under the brand “OKX”and is part of the OKX group of centralised crypto exchanges.
As of 27 January 2025, the Company has been authorised as a Crypto-Asset Service Provider (“CASP”) under the Markets in Crypto Assets Act (Chapter 647 of the Laws of Malta), and as of 14 February 2025, the Company has been authorised to operate in the below 27 EU countries (“Permitted Countries”) as a CASP to provide the below listed services (“Permitted Services”) under article 63 of the Markets in Crypto Assets Regulation (EU) 2023/1114 of 31 May 2023 (MiCAR). The Company is regulated and supervised by the Malta Financial Services Authority (the “MFSA”).
Permitted Countries:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Permitted Services:
Exchange of crypto-assets for funds
Exchange of crypto-assets for other crypto-assets
Execution of orders for crypto-assets on behalf of clients
Operation of a trading platform for crypto-assets
Placing of crypto-assets
Providing custody and administration of crypto-assets on behalf of clients
Providing portfolio management on crypto-assets
Providing transfer services for crypto-assets on behalf of clients
Reception and transmission of orders for crypto-assets on behalf of client
This Custody Policy (this “Policy”) is designed to outline the high-level custody management principles in relation to crypto-assets (the “Crypto-Assets”) as well as money (FIAT currency) (the “Clients’ Money”) which are held and/ or controlled by the Company (Crypto-Assets and Clients’ Money are collectively referred to as the “Custody-Assets”) in respect of its clients (each a “Client” and collectively the “Clients”).
The principal objectives of this Policy are:
a) to provide an understanding of how the Company’s custody solution operates from a technical and operational perspective;
b) to outline the Company’s overall approach to the custody of Custody-Assets including management, storage, access and security; and
c) to list the procedures and controls to ensure proper safekeeping, accountability, backup, recovery steps and reconciliation.This Policy has been reviewed and approved by the Board of Directors of the Company (the “Board of Directors”).
This Policy has been drawn up in accordance with the applicable legal and regulatory framework, including Regulation (EU) 2023/1114 on Markets in Crypto-Assets and other applicable laws, regulations, rules and guidelines in relation to the Company (collectively, “Applicable Law”).
2. General Principles
2.1. Segregation
The Company segregates Custody-Assets held on behalf of Clients from its own assets in accordance with Applicable Law. The Company will ensure that, on the distributed ledger, the Crypto-Assets of Clients are held separately from its own Crypto-Assets.
2.2. Protection and Use
The Company has appropriate arrangements for the protection of Custody-Assets and aims to act in the best interests of its Clients. The Company will ensure that there is no unauthorised use of the Custody-Assets. The Company will ensure that Custody-Assets are adequately safeguarded against misappropriation, theft, or loss.
2.3. Right of Ownership and Exercise of Rights
Each Client enjoys a right of ownership over the Custody-Assets. Where Custody-Assets are held by the Company as part of a common pool of identical Custody-Assets or are otherwise held in a common account, the Client will have an undivided share in ownership of the Custody-Assets held collectively by the Company in such common pool or account. The Clients’ rights in respect of Custody-Assets will be properly exercised and respected by the Company. This is principally achieved via the following:
Client Instructions: Clear and documented processes for receiving, verifying, and executing client instructions regarding the exercise of rights (such as voting or staking rights).
Monitoring and Reporting: Continuous monitoring of blockchain networks and clients’ money bank accounts to track relevant events (such as voting periods, staking opportunities and/or other relevant matters) and the timely reporting to Clients about their options.
Transparency: Giving Clients detailed records and confirmation of any actions taken.
2.4. Custody-Assets not Subject to the Rights of Creditors
The Custody-Assets held by the Company will be legally segregated from the estate of the Company in accordance with Applicable Law. The creditors of the Company should not have recourse to Custody-Assets of Clients particularly in the event of the insolvency of the Company.
2.5. Delegation/ Outsourcing
The Company has not appointed any sub-custodians responsible for the safekeeping of the Crypto-Assets of its Clients.
2.6. Liability
The Company is only liable to its Clients for the loss of any Custody-Assets, or of the means of access to the Custody-Assets, as a result of an incident that is attributable specifically to the Company. In such instances, the liability of the Company is capped at the market value of the Custody-Asset that was lost at the time the loss occurred. There are specific circumstances under which we are not liable for the loss of Custody-Assets. These circumstances include, but are not limited to, incidents beyond the Company’s control or not attributable to the Company’s operations, and events occurring independently of the services or operations provided by the Company including force majeure events and other external factors the Company cannot influence or mitigate.
2.7. Reconciliation
The Company will conduct reconciliations of Custody-Assets on a regular basis between its records, the records of Clients, and the records of holdings from the respective distributed ledgers and/ or third party as applicable.
2.8. Record Keeping
The Company will keep adequate records of its safekeeping obligations, reconciliations, and other matters in terms of Applicable Law.
3. The Custody Platform
3.1. The Service Offering by the Company
The Company is committed to maintaining high standards of safety, compliance, and user trust when safekeeping Custody-Assets. The Company utilises a secured wallet structure comprised of hot and cold wallet systems in respect of the custody of Crypto-Assets. The Company holds clients’ money as designated clients’ money accounts.
The Company aims to securely store, manage and transfer Crypto-Assets while ensuring protection from unauthorised access and cyber threats. The Company’s custody platform in respect of Crypto-Assets comprises various elements that are integral to safeguarding the Crypto-Assets of Clients.
Hot & Cold Wallets: The Company’s wallet infrastructure is central to the functionality of the custody platform and is divided into hot and cold wallets to balance security with accessibility. Hot wallets are designed for immediate access to Crypto-Assets, facilitating daily transactions and user withdrawals. Hot wallets are connected to the internet making them more accessible but inherently more vulnerable to security threats. On the other hand, cold wallets provide a higher level of security by being kept offline and physically secured, thus minimising exposure to online threats. Cold wallets are generally used for the long-term storage of Crypto-Assets, where transactions may be less frequent. Our custody platform may include warm wallets, which serve as an intermediate solution, offering a blend of the accessibility of hot wallets with some of the security features of cold wallets.
Deposits & Withdrawals: Deposits involve generating unique wallet addresses for each Client, with incoming transactions monitored and credited to the Client’s account after a specified number of blockchain confirmations. Clients are notified once deposits are successfully processed. Withdrawals are also subject to stringent processes to ensure security. Clients initiate withdrawal requests via the platform interface, which are validated using 2FA and additional security checks. The Company may require multi-signature approval from more than one authorised party in the case of large withdrawals in line with internal policies. The custody platform integrates automated systems to flag suspicious transactions and manual intervention protocols to handle high-risk cases, ensuring that all withdrawals are conducted securely.
Security Measures & Risk Management: Our security measures include multi-signature wallets, key rotation, multi-factor authentication, data encryption, secure communication, role-based access, monitoring and alerts, and a dedicated audit log. The custody platform continuously assesses potential threats such as market volatility, cyber-attacks, and operational failures. Insurance protection is in place to cover theft, loss, and other risks, with coverage levels regularly evaluated to ensure that the protection is adequate for the volume and type of Crypto-Assets.
3.2. Identified Sources of Operational and ICT Risks
3.2.1. Operational Risks
Operational risks may arise from inadequate or failed internal processes, human errors, system failures, or external events. The primary sources of operational risks include:
Human Errors: Mistakes by employees or contractors in managing private keys, executing transactions, or maintaining custody accounts.
Process Failures: Weaknesses in internal procedures for transaction authorisation, record-keeping, or reconciliation processes.
Physical Security: Risks associated with physical access to critical infrastructure such as servers, hardware security modules (HSMs), or cold storage devices.
3.2.2. ICT Risks
ICT risks refer to vulnerabilities in the technological infrastructure supporting the safekeeping and control of Custody-Assets. Identified sources mainly include:
Cybersecurity Threats: Hacking attempts, malware, phishing attacks, or other forms of cyber intrusion aimed at compromising private keys or access credentials to clients’ money accounts.
System Downtime: Unplanned outages or downtime in systems used for transaction processing or custody that could delay or prevent access to Custody-Assets.
Data Integrity Risks: Corruption or loss of data due to system failures, software bugs, or unauthorised alterations.
Third-Party Risks: Risks associated with the use of third-party service providers for custody, transaction processing, or ICT infrastructure.
3.3. The Management of Operational and ICT Risks
The following main systems and controls are in place to manage Operational and ICT Risks:
(a) Cybersecurity Framework: The Company employs a multi-layered cybersecurity framework including firewalls, intrusion detection systems, and encryption protocols to protect against unauthorised access and cyberattacks.
(b) Access Control: Strict access controls are enforced, including the use of hardware security modules (HSMs), multi-factor authentication (MFA), and role-based access control (RBAC) to limit access to sensitive systems and data.
(c) Incident Response Plan: A comprehensive incident response plan is in place to address potential breaches or failures. This plan includes predefined roles, communication strategies, and recovery protocols to minimise the impact of any incident.
3.4. Reporting to Clients
The Clients will receive a statement of holdings at least once every three (3) months and upon reasonable request indicating the balance, the value, and any transfer of Custody-Assets during the period concerned.
3.5. Return of Crypto-Assets
To ensure the safe return of Custody-Assets, or the means of access of Custody-Assets, the Company maintains the following procedures:
Verification Protocols: Before returning any Custody-Assets, detailed verification processes are followed by the Company to confirm the identity of the Client and the legitimacy of the request made by the Client.
Secure Transfer Methods: The transfer of Custody-Assets to Clients is conducted using secure channels and procedures.
Timely Execution: The Company aims to process requests promptly with clear timelines communicated to Clients. Any delays will be promptly communicated with reasons provided and alternative arrangements suggested where necessary.
Record-Keeping: Detailed records are maintained including time stamps, authorisation logs, and transfer confirmations to ensure full accountability.
4. Reconciliations
The Company adopts an automated reconciliation process in respect of the custody function and keeps adequate and well-documented records for Clients.
The Company will:
reconcile, at least on a monthly basis, the balance in each Client’s money account as recorded by the Company with the balance in the statement issued by the relevant entity with whom the Company has deposited the Client’s money;
reconcile the total of all money accounts of the Clients with the total of the corresponding credit balances in respect of each Client; and
reconcile, at least on a monthly basis, the Crypto-Assets of each Client with the records of all customers and the records of holdings from the respective distributed ledgers.
The Company will undertake reconciliations on a more frequent basis if the need arises.
Checks and reconciliations are undertaken by employees who are independent from the production and maintenance of records. In the event of any discrepancy, the employee will:
a) promptly investigate the reason for the discrepancy;
b) resolve the discrepancy without undue delay; and
c) take appropriate steps for the treatment of any shortfalls until that discrepancy is resolved.
5. Training
This Policy has been provided to all relevant staff of the Company. An overview of this Policy has also been incorporated into the Company’s induction and annual training.
6. Review of this Policy
This Policy will be assessed and periodically reviewed at least on an annual basis. Any material updates to this Policy are approved by the Board of Directors of the Company.