Skip to main content
Perspective:
Perspective
07 Apr 2025
10 minute read

Building Trust in a Digital Age: Essential Elements of a Digital Asset Policy

Staying Ahead of the Curve in a Transformative Era

Ed Moorby
Mustafa Kanchwala
Clare Jenkinson

This paper is a practical guide for financial institutions developing a digital asset policy. As cryptocurrencies and blockchain technology reshape finance, this framework helps institutions navigate the opportunities and risks of digital assets. It covers defining scope, managing risk, establishing governance, and ensuring regulatory compliance, offering insights for confident engagement with this evolving landscape.

Dowload Digital asset policy paper
1006 KB PDF

The need for a digital asset policy


The rise of digital assets, powered by Distributed Ledger Technology (DLT), is reshaping the financial landscape, presenting both unprecedented opportunities and complex challenges for traditional financial institutions. This paper seeks to outline essential considerations for traditional financial services firms when developing their digital assets policy amid a constantly evolving landscape of Distributed Ledger Technology (DLT) and its transformative impact on digital assets. DLT, in particular blockchain, has ushered in a new era of decentralized and secure methods for creating, managing, and exchanging digital assets. These assets, encompassing a broad spectrum from tokenized traditional assets to cryptocurrencies and stablecoins, present diverse opportunities, and risks. While DLT can streamline processes such as settlement and clearing, leading to increased efficiency and cost reduction, regulatory frameworks are still evolving to keep pace with this innovation. Furthermore, varying approaches to classification, oversight and investor protection are emerging across jurisdictions which further creates the need for a group-wide policy or standard. In this dynamic environment, both traditional financial institutions and crypto-native firms are adapting to these new models, with the former increasingly integrating digital asset products and services. This policy serves as a strategic guide for firms to navigate the complexities of this evolving ecosystem, ensuring compliance, risk management and market competitiveness. The aim of this paper is to give both traditional financial firms and crypto-natives a baseline structure to what a digital asset policy could look like at a firm who is either exploring digital assets for the first time or is a seasoned player in the market. We have included the more theoretical components of a successful digital assets policy from our market experience alongside highlighting some challenges and choices firms have faced when looking to implement the relevant component of the policy. This paper serves as a springboard for firms to initiate informed discussions and tailor their digital asset policies to their specific risk appetite, business objectives, and regulatory environment.

Key components of a digital assets policy


The sections below highlight the key areas that firms may decide to include in their digital assets policy. Each section outlines the type of content that would be expected to be covered in sub-sections of the policy.

Firms should narrate the background for creating a digital assets policy and how it is intended to be used. It is important for the firm to set out their strategy for the diverse types of digital assets products and services being offered. This section should also introduce the concept of digital assets and how digital assets operate with or without the use of blockchain technology. Firms should narrate the rationale for having a centralised, overarching digital assets policy to provide a summary view of the firm’s view on the use of DLT and its current and upcoming future activity in relation to digital assets. The overview should cover at a very high level the global geopolitical and regulatory digital assets landscape with reference to the firm’s business model. Firms should consider cross-referencing to a set of definitions of different types of digital assets, to differentiate between (as a minimum) digital versions of traditional assets, stablecoins and cryptocurrencies. This may be in the policy scope section below, or elsewhere in the policy.

Firms should clearly outline how they define the term ‘digital assets’ for their business and where this definition has been derived from (i.e., from industry standards or regulation). It may be relevant for the firm to expand on their digital assets strategy in relation to this policy. This will include more detail on the types of digital assets and technology being used: Examples of this are:

  • Digitally native assets issued using DLT (e.g., tokens)
  • Traditional finance products or services that are being tokenised (e.g., tokenised bonds)
  • Derivative or exchange traded products referencing cryptocurrencies (e.g., Bitcoin ETFs)

The firm should define their process for how it categorises and manages the below in relation to digital assets activity:

  • Prohibited activities
  • Activities permitted in limited circumstances
  • Generally permitted activities

Refer to the requirement to follow the governance processes described in the policy that are specific to use of DLT and/or interacting with digital asset products or services. Additionally, there should be guidance on any individuals or teams that may be exempt from this policy.

Internal communication: There may be instances where teams within the organisation desire to create digital assets related products or services but are unaware of similar products being created by other teams within the firm. Information on the various digital asset projects that are occurring around the firm should be communicated clearly with the whole firm once no longer designated as confidential. This function could sit with the internal communications team or perhaps more appropriately with the digital assets team who can collaborate with the internal comms team to distribute key updates. We discuss more detail on roles and responsibilities in the following section.

External communication: Once the overall digital assets strategy for the firm is agreed, a clear line for external communications should be agreed. This will allow both any marketing materials and communications with the media to align with the internal strategy. It can also be used for internal guidance on items such as employee training regarding posting on social media when discussing digital assets.

Firms may establish separate digital assets teams solely responsible for all digital assets related activity within the business. Accordingly, firms should outline how these teams will work with other areas of the business. One way to do this would be to identify the key 1st, 2nd, and 3rd line stakeholders within the organisation responsible for managing digital assets activity within their units and ensure regular communication between business units. There may be a need for roles that take accountability for certain digital asset related activity. The firm should describe the roles and responsibilities in relation to digital asset activity including escalation channels where applicable. Whilst all the roles listed below are not necessary for all firms, there would be a need to have a person responsible for the coordination of any activity.

Examples roles noted below are:

  • Head of Digital Assets
  • Head of Digital Asset Risk Management
  • Head of Digital Assets Compliance
  • Head of Digital Asset Financial Crime Risk
  • Head of Digital Asset Custody
  • Head of Digital Assets Technology
  • Head of Digital Assets Platforms / Product
  • Head of Internal Audit Technology (with responsibility for Digital Asset/DLT audits)

One of the roles above should also be appointed as the digital assets policy owner. This person would be responsible for ensuring that this policy is being applied in practice. Additional responsibilities including annual policy reviews, updates, and approvals. These roles reflect the various policies and procedures that would need consider digital assets and their underlying technology in one way or another. Each firm will need to consider if a standalone role would be most appropriate, or whether the responsibility should be added to the scope of a pre-existing role (for example the Head of Digital Assets Technology role may be carried out by the existing Head of Technology or CTO).

The firm should outline how this policy aligns to the wider risk management framework (if applicable) for managing digital assets risks. This may include the policy’s objective to be an overarching document summarising the bank’s stance and exposure to digital assets, while referencing a detailed set of wider documentation specific to digital assets (e.g. risk registers or risk and control matrices). Alternatively, it may cross-refer to a separate risk appetite statement regarding digital assets, depending on the firm’s approach.

Firms should identify the key control frameworks used to manage digital assets activity by 1st and 2nd Lines of Defence (LODs) within the organisation. This may include 2nd line risk and compliance teams with a mandate to incorporate digital assets activity within their existing control frameworks and/or newly created risk and compliance teams mandated to create standalone control frameworks. There should be information on the key monitoring programs use to monitor and report on digital assets activity across business lines and by 2nd line risk and compliance teams.

Within a governance and oversight section of the digital assets policy the firm should provide details on the robust framework for managing digital assets, encompassing clear approval processes for new initiatives, a strong link to the firm's risk appetite, and considerations for evolving regulatory landscapes. This includes detailing the lifecycle of digital asset proposals, specifying approval gates and stakeholders, and addressing the potential need for a dedicated digital asset approval committee. Additionally, the policy should clarify the firm's stance on public versus private blockchains, acknowledging client demand while outlining the current preference for private or hybrid models due to regulatory uncertainties. Furthermore, the policy should address the unique risks associated with third-party providers in the digital asset space, detailing a robust due diligence process for onboarding Virtual Asset Service Providers (VASPs) or Crypto-assets Service Providers (CASPs) that goes beyond standard approaches.

There should be reference to a detailed repository of digital assets related policies and guidelines across other business areas. An example of this would be references to the underlying technology (like DLT) that may reside within the firms ICT and Information Security policies. Further reference could be made to:

  • Digital assets risk management framework (which includes risk appetite)
  • Technology-related policies e.g., Access policy, change management policy, security policy.
  • Third party risk management frameworks e.g., outsourcing policy.
  • Due Diligence processes for onboarding of VASPs or CASPs.
  • Digital assets regulations applicable to the firm.
  • Personal Account Dealing policy for requirements related to holding and trading of crypto assets like cryptocurrencies.
  • Financial Crime Risk Management e.g., AML, KYC requirements.
  • Credit risk policy and how these are amended when clients make use of digital assets.
  • Confidential information policy.
  • Conflicts of interest policy.

Conclusion


Building a Foundation for Responsible Innovation

In the rapidly evolving world of digital assets, establishing an internal view is paramount. This paper seeks to give both established traditional financial firms and newer crypto-native firms the broad outline of what a digital asset policy could look like within a firm. It should allow those looking to initiate digital assets projects within their firms or those looking to revamp their governance structure to incorporate digital assets as a starting point for these discussions.

Whilst not all areas will be directly applicable to all firms, the concepts and underlying themes should resonate with all firms either entering the digital assets space or looking to expand their existing offerings. This document seeks to support in firms in ensuring compliance at a policy level and provide stakeholders within the firm to have a central view of the firm’s stance on digital assets and the use of DLT.

With the continued focus from global regulators, as well as major publications of new rules and requirements such as the EU’s Markets in Crypto asset Regulation, the importance of being able to prove to regulators and supervisors the ability to understand, quantify and control for the unique risks posed by digital assets has never been more in focus. By embracing a proactive and comprehensive approach to digital asset policy, firms can position themselves at the forefront of this transformative era in finance.

Download Full Report

Ed Moorby

Deloitte - United Kingdom
Ed leads Deloitte UK’s Regulatory Change Delivery Team who focus on helping clients understand the practical implications of regulation, how they should respond, and the nature and scale of the implementation project. He co-leads Deloitte’s global team supporting clients respond to IBOR transition and is a member of the Bank of England’s Outreach and Communication sub-group. Recent relevant experience includes: Supporting a G-SIFI develop their initial understanding of financial exposures and developing plans to automate production of this on a monthly basis. Working with a US domiciled bank to mobilise their IBOR transition programme with a focus on identifying and mitigating the key delivery risks. Advising a global bank on their IBOR impact assessment and developing a business case and delivery plan for the full programme. Advising a global financial services firm on their options to respond to Brexit, establishing the contingencies required and triggers, and preparing the implementation roadmap. Working for the Exco of a bank impacted by operational continuity and UK ring-fencing requirements Ed assessed the service delivery options and recommended an approach that considered regulatory, legal, tax and business requirements. Led the definition of the structural reform delivery plan, including cost and head count estimates for a global bank. This work included defining the operational impacts for the functions, businesses and service model.

Get in touch

Clare Jenkinson

Partner
+44 (0)20 7007 0089

Mustafa Kanchwala

Director
+44 (0)20 7007 9985

Arber Kushevica

Consultant
+44 (0) 20 8071 3706

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Our thinking

Risk and resilience: bringing risk management and resilience closer together | Deloitte UK

In this first blog we start by highlighting some of the key differences and similarities between the risk and resilience teams, making the case for alignment and how the two can support each other.
Perspective
5 minute read
Blog

Resilience Dividends | Deloitte UK

Most organisations want to be resilient and appreciate that there are intrinsic benefits that come with being and being seen to be resilient. 
Perspective
10 minute read

Moving toward true organizational resilience | Deloitte UK

Businesses today operate in a world characterized by a breakneck pace of change and evolving risk landscape. 

Next steps in building operational resilience in financial services firms

As UK FS firms begin the three-year transition period for operational resilience, maintaining the momentum built during the first year will be critical.
Perspective
5 minute read
Explore our thinking