If an institution delegates the operation of the validator node to a third party (other banks or staking pool operators), the institution has only a claim against that third-party provider. This claim can be treated as a custodial asset in the sense of art. 16 para. 2 of the Banking Act, provided the Swiss Banking Directives on fiduciary investments are followed. Additionally, the following conditions must be met:
- the counterparty risk is limited by selecting an institution subject to prudential supervision with a good credit standing, or the subsidiary of a consolidated and prudentially supervised financial group with a good credit standing
- it is ensured by means of a specific due diligence that:
- o the third-party provider is not conducting business on an unauthorized basis;
- the third-party provider holds the relevant withdrawal keys itself, which rules out long staking chains. If the third-party provider wishes to use another provider, the institution must verify that the mitigation measures (such as presigning the withdrawal transactions) have an equivalent effect;
- the third-party provider records the validator addresses (e.g. by means of an internal register) on which it holds the custodians’ crypto assets and informs the custodian of these;
- the third-party provider has taken all necessary measures to limit operational risks relating to the operation of the validator node, such as validation errors or offline status, rule out other penalties on the validator and ensure business continuity; and
NOTE: If providers domiciled outside of Switzerland are used, in addition to the abovementioned requirements, such providers must be subject to prudential supervision in a jurisdiction with equivalent regulation, in which there is the same legal certainty as in Switzerland regarding the treatment of crypto assets held in custody under bankruptcy law and undergo specific due diligence which includes the requirements listed above for providers based within Switzerland;
- draw up a Digital Assets Resolution Package (DARP) to ensure adequate risk management. The DARP should be updated regularly.