Key Business Guidelines

1. Risk Management and Accident Prevention Guidelines (Internal Control and Audit Guidelines)

(Risk Management Committee)

  1. The Company may establish a Risk Management Committee.
  2. If the Company establishes a Risk Management Committee pursuant to the preceding paragraph, the Committee shall deliberate and resolve on the following matters:
    1. Establishment of basic policies and strategies for risk management
    2. Deliberation and approval of newly entrusted virtual assets
    3. Formulation and revision of risk management standards
    4. Other matters necessary for risk management

(Risk Management Standards)

  1. The Company may establish standards and procedures (hereinafter "Risk Management Standards") for timely identification, evaluation, monitoring, and control of risks arising from the operation of virtual assets or proprietary assets, the performance of business, and other transactions.
  2. Details to be specified in the Risk Management Standards and other necessary matters may include the following:
    1. Basic policy of risk management
    2. Structure and division of responsibilities of the organization dedicated to risk management
    3. Procedures for risk management to be observed by employees in the performance of their duties
    4. Procedures and methods for verifying employees' compliance with the Risk Management Standards
    5. Formulation or amendment of the Risk Management Standards
    6. Appointment and dismissal of the Risk Management Officer
    7. Emergency risk management plan for incidents related to virtual assets and other contingencies
    8. Internal reporting and approval systems

(Composition of the Risk Management Committee, etc.)

  1. The Company may appoint one or more Risk Management Officers to inspect and manage risks arising from asset operations, business performance, and other transactions.
  2. Separate regulations shall be established regarding the appointment, dismissal, and tenure of the Risk Management Officer. In this case, the "Compliance Officer" shall be deemed the "Risk Management Officer."
  3. Members of the Risk Management Committee shall be directors of the Board.
  4. The Company shall organize and maintain an organization dedicated to risk management, staffed with an appropriate number of personnel with sufficient experience and competence, to support the following duties of the Risk Management Officer:
    1. Inspection and analysis of risk limit operations
    2. Timely provision of risk management information to the Risk Management Committee and executives
    3. Other matters necessary for risk management

(Accident Prevention – Purpose of Business Inspection)

By self-assessing and monitoring compliance with internal control procedures, the purpose is to identify and rectify deficiencies immediately during the course of business execution, thereby contributing to rational business operations, prevention of accidents, and early detection of any incidents.

  1. Definitions of Terms
    1. Business Inspection: Internal self-inspection conducted under the supervision of the internal controller on whether all company business complies with external laws, regulations, guidelines, manuals, and directives. It is divided into daily and monthly inspections.
    2. Issues: Matters identified during business inspections where external laws, regulations, guidelines, or manuals were not complied with, and which require corrective measures.
    3. Advisory Matters: Cases identified during business inspections where external laws, regulations, guidelines, or manuals were not complied with, but the non-compliance was minor and did not require corrective measures, or corrective measures were completed within 5 business days from the date of identification.
  2. Principles of Business Inspection
    1. Independence of Business Inspectors: Inspectors shall faithfully verify, from an independent standpoint, whether business was conducted properly in accordance with internal standards and procedures.
    2. Right to Request Document Submission: Inspectors may request submission of documents necessary for performing inspection duties.
    3. Obligation of Document Submission by Responsible Staff: Business staff must comply with requests for submission of materials by inspectors and faithfully provide materials related to inspections if their business is subject to inspection.
  3. Accident Prevention Activities

    4. - Internal Control Checklists (daily, monthly, quarterly): The internal controller carries out accident prevention activities based on checklists, subject to approval by the Compliance Officer and CEO.

2. Conflict of Interest Prevention Guidelines (Internal Control Regulations)

(Priority of Customer Interests)

  1. Clients' interests shall take precedence over those of the Company, its shareholders, and its employees.
  2. The Company's interests shall take precedence over those of its employees.
  3. All clients' interests shall be treated equally.

(Blocking Conflict of Interest Issues)

  1. Employees must not pursue their own interests or rewards through unlawful or improper means in the course of performing their duties.
  2. Where an employee engages in external activities outside company duties with prior Company approval, they shall not use the Company's or clients' assets, personnel, or information acquired through their work for personal benefit.

(Identification, Assessment, and Management of Conflicts of Interest)

  1. If employees are in or are likely to be in a conflict of interest between the Company and clients, or between clients, they shall consult with the Compliance Officer in advance and take measures to ensure that no client protection issues arise.
  2. If a transaction has potential for conflict of interest, employees shall take measures to minimize such risk to ensure clients' interests are not harmed. Where minimizing such risks is deemed difficult, the fact shall be disclosed to the client, and such transaction shall be discontinued.

(Prevention of Conflicts of Interest Arising from Concurrent Business Operations)

If the Company engages in business activities other than virtual asset services, it shall comply with the following:

  1. Where concurrent business may give rise to conflicts of interest, office spaces shall be separated.
  2. Confirm and manage the exchange of information between concurrent business divisions and divisions that produce or acquire undisclosed internal information related to virtual assets.
  3. Ensure that undisclosed internal information related to virtual assets is not used in concurrent business operations.

3. Guidelines on Prohibition of Re-Entrustment of Virtual Assets (Internal Control Regulations)

(Custody and Management of Client-Deposited Assets)

  1. The Company shall safely keep the same type and quantity of virtual assets entrusted by clients and shall not re-entrust them to another institution.
  2. The Company shall establish and operate a separate policy to ensure that client-deposited virtual assets are stored in cold wallets.
  3. The Company shall conduct regular reconciliations between the Company's total holdings and the client's virtual asset records to verify consistency in type and quantity, and shall perform due diligence on the status of virtual asset holdings.

4. Guidelines for Secure Custody of Virtual Assets (Wallet Guidelines)

(Cold Wallet Operation Security)

  1. Cold wallets shall be stored securely in physically isolated locations.
  2. Access and usage history of cold wallets shall be logged and securely managed, with regular inspections.
  3. Cold wallets shall be controlled so that withdrawals can only occur through predefined procedures and methods.

    - Internal controls and approval procedures, multi-signature, MPC, etc.

(Cold Wallet Management Security)

  1. Establish and implement safe backup and recovery measures for cold wallets.
  2. Establish measures to minimize damage in case of theft or loss of cold wallets.
  3. Establish security measures to prevent leakage, theft, or loss of cold wallet private keys.

(Virtual Asset Security)

  1. For newly entrusted virtual assets, verify safety and reliability through separate procedures.
  2. When purchasing cold wallet hardware, ensure products are purchased with established reputation and stability in the market.
  3. Disable unnecessary peripherals and interfaces of cold wallet hardware such as USB, speakers, microphones, networks, and CD drives.

(Cold Wallet Operation Procedures)

Cold wallets shall be kept in a secure state as follows to ensure safe management from natural and environmental threats such as fire and unauthorized access or theft:

  1. Cold wallets shall be kept completely disconnected from all forms of networks.
  2. Cold wallets shall be safeguarded against natural and environmental threats such as fire, and managed to prevent theft or unauthorized access.
  3. Cold wallet access shall always be performed by at least two personnel together.
  4. Locations storing cold wallets shall be designated as critical control zones, with enhanced access control and 24-hour video surveillance with no blind spots.
Korea Digital Asset(KODA) | Digital Asset Partner for Corporate and Institutional Investors