We recommend that all organizations working with crypto, web3 or digital assets implement transaction policies. This is a great way to prevent loss of assets without sacrificing speed and efficiency from an operational perspective. 

If you’re interested in learning what a crypto transaction policy is and why it’s important, check out the basics here.

If you’re ready to start implementing transaction policies at your organization, you’ve come to the right place. Follow this step-by-step guide to learn exactly what kind of policies you can and should be implementing: 

Questions to ask when designing a digital asset or crypto transaction policy

A digital asset transaction policy enables you to control essentially every aspect of a transaction going into and out of your organization.

Before developing the policies themselves, you should consider these factors to ensure that your policies are optimized:

  • Who are your trading venues and counterparties? Make a list of the relevant parties and have it on hand.
  • Who within your organization can transfer assets? For smaller organizations, this could be as few as one or two people.
  • How much/what value can be transferred? This should be defined per asset; for example, more than 2 BTC might require approval from the COO.
  • Who is required to approve the transaction? This can be a single admin or designated group of admins based on the source wallet and transaction amount. 
  • Who has the access and credentials to edit and create transaction policies? It’s best to form a group of admins responsible for managing and approving any changes to your transaction policy to prevent a rogue employee from editing your transaction policy and moving funds to a personal wallet.

Now that you’ve figured out these vectors, you can design the policies themselves.

What to look for in a digital asset or crypto transaction policy engine

Having determined what you want to accomplish with your transaction policies, you can start actually creating them. 

If you’re looking to automate your policies, you’ll need some kind of engine to do so. A policy engine automates the workflow of parsing transaction policies, selecting the correct policy based on the transaction type, validating that parameters are met, and either approving or denying the transaction. Here are some of the parameters a transaction policy engine should include to maximize security and efficiency:

  • Initiator the user who can initiate the type of transaction to which the rule applies
  • Source the type of venue from which the transaction originates
  • Destination the transfer destination, such as an internal wallet, counterparty address, exchange account, etc.
  • Whitelisting defines if the transfer destination must be a whitelisted address, whether to allow a one-time transfer to an external address, or both
  • Amount the value a transaction must exceed before the rule applies to it
  • Time period the total accumulated value that can be transferred over a specified length of time
  • Asset the type of digital asset being used in a transaction
  • Approved by defines the user or users who need to approve the transaction

Using the engine, you should also be able to create “user groups” so that you can easily apply a single transaction policy to a group of users. This helps organizations scale quickly by modifying the user groups as teams expand, rather than constantly modifying the policy rules themselves. 

How are you securing your transaction policies?

The final factor to consider is where your transaction policy is hosted. Will it be hosted on-premise, in a cloud server, or in some other configuration?

As we’ve previously covered, the first step for secure digital asset operations is understanding who has access to your private keys (internal team, custodian, exchange, etc.). Because your transaction policy dictates the governance of your organization’s transactions, compromising the policy rules can lead to a loss of funds, regardless of the private key storage method. 

That’s why you should ask these questions when it comes time to deploy a transaction policy:

  1. Where is your transaction policy hosted?
  2. Who has physical or remote access to that device?
  3. Can an IT or security administrator access and modify the policy?
  4. If the host device is compromised, can an attacker compromise the transaction policy?

By following these transaction policy guidelines, you’ll quickly be on your way to building secure crypto and digital asset operations that scale.

About Fireblocks

Fireblocks is an all-in-one platform for running your crypto business. We’ve already helped thousands of crypto, web3, fintech, and traditional finance organizations to custody and manage their digital asset treasury holdings.

Fireblocks helps organizations securely scale crypto operations with our highly flexible, customizable Transaction Authorization Policy (TAP) Engine. Once you’ve defined transaction and whitelisting policies for your organization with Fireblocks, any deposits/withdrawals can never leave your account without the necessary quorum approvals.

Interested in learning more about Fireblocks? Request a demo to see Fireblocks’ TAP Engine in action.