Treasury Policy Framework for Digital Assets

Effective governance for digital assets follows the standard three lines of defense model, adapted for digital asset specifics:

THREE LINES OF DEFENSE - DIGITAL TREASURY:

- Execute transactions within policy limits
- Day-to-day decision-making
- Initial risk identification
- Transaction documentation
- Immediate escalation of issues

- Policy development and maintenance
- Limit monitoring
- Regulatory compliance oversight
- Counterparty due diligence
- Control design and testing

- Independent assurance
- Control effectiveness testing
- Policy compliance verification
- Regulatory examination preparation
- Board/audit committee reporting

DIGITAL ASSET SPECIFICS:

• Wallet management and key custody

• Blockchain transaction verification

• Real-time position monitoring

• Technology vendor management

• Smart contract risk assessment

• Blockchain analytics monitoring

• Digital asset valuation methodology

• Regulatory change monitoring

• Custody controls testing

• Key management audit

• Blockchain forensics capability

• Technology infrastructure review

GOVERNANCE COMMITTEE OPTIONS:

- Add digital assets to Investment Committee scope
- Existing governance, new mandate
- Faster to implement
- May lack specialized expertise

- Specific focus on digital assets
- Specialized membership
- Clear accountability
- May create silos

- Investment Committee retains oversight
- Digital Asset Working Group for operations
- Working Group reports to Committee
- Combines expertise with governance

RECOMMENDED STRUCTURE:

Board of Directors
↓ Delegates to
Audit Committee (oversight, audit, controls)
Investment Committee (strategy, limits, counterparties)
↓ Supported by
Digital Asset Working Group (operations, execution)
↓ Consists of
Treasurer, CFO (or delegate), Legal, IT Security, Compliance

• Recommend policies to Investment Committee
• Implement approved policies
• Monitor operations and risk
• Report to Committee monthly/quarterly
• Escalate issues immediately

AUTHORITY MATRIX - DIGITAL ASSETS:

- Approve digital asset policy (annual)
- Approve counterparty framework
- Set overall risk appetite
- Approve material changes to strategy

- Approve specific counterparties
- Set transaction/exposure limits
- Approve product scope (which products)
- Review quarterly performance/risk

- Day-to-day execution within limits
- Counterparty onboarding (within framework)
- Operational decisions
- Exception requests to Committee

SPECIFIC APPROVAL THRESHOLDS (Example):

• <$1M: Treasury Analyst with Treasurer review

• $1-5M: Treasurer approval

• $5-25M: CFO approval

• $25M: Investment Committee approval

• Exchange onboarding: Investment Committee

• Custody provider: Board/Audit Committee

• New product type: Investment Committee

• Within 20% of existing: CFO

• 20% change: Investment Committee

• New limit category: Board

IMPORTANT: These are examples. Your thresholds should reflect your company's size, risk appetite, and existing governance norms.

---

MASTER POLICY DOCUMENT STRUCTURE:

- Why the company is using digital assets
- What activities are covered
- What is explicitly excluded
- Relationship to other treasury policies

- Digital assets (which types)
- Stablecoins vs. volatile assets
- Bridge currencies
- Custody, wallets, keys

- Authority matrix
- Committee structure
- Reporting requirements
- Policy maintenance

- Approved digital assets (RLUSD, XRP for ODL)
- Approved use cases (cross-border, liquidity)
- Prohibited activities (speculation, lending)
- Geographic restrictions

- Counterparty limits
- Concentration limits
- Transaction limits
- Aggregate exposure limits

- Regulatory status requirements
- Due diligence process
- Ongoing monitoring
- Termination triggers

- Authorization procedures
- Custody requirements
- Segregation of duties
- Reconciliation requirements

- Regulatory requirements
- Tax reporting
- AML/KYC obligations
- Sanctions screening

- Management reporting
- Committee reporting
- Board reporting
- Regulatory reporting

- Definition of incidents
- Escalation procedures
- Response protocols
- Post-incident review

- Review frequency
- Amendment process
- Version control
- Training requirements

PERMITTED ACTIVITIES FRAMEWORK:

EXPLICITLY PERMITTED:

• Purpose: Cash management, cross-border positioning

• Limit: [X]% of short-term investments

• Counterparties: Approved exchanges, direct from issuer

• Holding period: No maximum

• Approval: Per standard treasury authority

• Purpose: Cross-border payments

• Corridors: [List approved corridors]

• Maximum transaction: $[X] per transaction

• Daily limit: $[X] per corridor

• Approval: Per standard payment authority

• Approved custodians: [List]

• Self-custody: [Prohibited/Limited circumstances]

• Key management: Per Custody Policy Appendix

EXPLICITLY PROHIBITED:

• Holding volatile cryptocurrencies (BTC, ETH) for investment
• Cryptocurrency lending or yield generation
• Derivatives on digital assets
• Speculative trading
• Use of unregulated/unlicensed counterparties
• Transactions with sanctioned addresses/entities

REQUIRES SPECIAL APPROVAL:

• New digital asset types: Investment Committee
• New use cases: Investment Committee
• New counterparties: Per Counterparty Policy
• Transactions exceeding limits: CFO/Committee per matrix
• New corridors for ODL: Investment Committee

RISK LIMIT STRUCTURE:

COUNTERPARTY LIMITS:

• Maximum exposure per counterparty: $[X]M

• Calculation: Sum of all positions and pending transactions

• Frequency of calculation: Daily

• Breach response: No new transactions, escalate

• Maximum with single counterparty: [X]% of total digital exposure

• Diversification requirement: Minimum [2-3] counterparties

• Exception process: Investment Committee approval

ASSET LIMITS:

• Maximum total stablecoin holdings: $[X]M

• As percentage of cash/short-term investments: [X]%

• Per-stablecoin concentration: Maximum [X]% in single stablecoin

• Location: [X]% minimum with approved custodian

• Single transaction maximum: $[X]M

• Daily aggregate maximum: $[X]M

• Monthly aggregate maximum: $[X]M

CORRIDOR LIMITS (ODL):

• Maximum daily volume: $[X]M

• Maximum single transaction: $[X]M

• Maximum open positions: [Usually zero for ODL]

• Permitted corridors: [List]

• Prohibited jurisdictions: [List - per sanctions]

• New corridor approval: Investment Committee

CONCENTRATION LIMITS:

• No single counterparty >40% of total digital exposure
• No single stablecoin >60% of stablecoin holdings
• No single corridor >50% of ODL volume
• Geographic diversification: Maximum [X]% in any single country

LIMIT MONITORING:

• Real-time: Transaction limits
• Daily: Counterparty exposure, position limits
• Weekly: Concentration limits
• Monthly: Aggregate exposure to Committee
• Quarterly: Full limit review to Board

---

COUNTERPARTY APPROVAL PROCESS:

TIER 1: STABLECOIN ISSUERS (RLUSD, USDC)

Required Documentation:
□ Regulatory licenses/charters (e.g., NYDFS trust charter)
□ Reserve attestation reports (monthly)
□ Audited financial statements
□ Reserve composition breakdown
□ Redemption terms and conditions
□ AML/KYC program description
□ Insurance documentation
□ Custody arrangements for reserves

1. Verify regulatory status with regulator
2. Review last 6 months of reserve attestations
3. Confirm redemption process and timing
4. Assess operational track record
5. Legal review of terms and conditions
6. Present to Investment Committee for approval

- Monthly review of attestation reports
- Quarterly regulatory status confirmation
- Annual comprehensive review
- Immediate review upon adverse news

TIER 2: EXCHANGES (ODL Partners)

Required Documentation:
□ Money transmitter licenses (all relevant states)
□ AML/KYC program certification
□ SOC 2 Type II report
□ Insurance documentation
□ Financial statements
□ Ownership/control information
□ Regulatory examination history
□ Cybersecurity assessment

1. Verify licenses in all required jurisdictions
2. Review SOC 2 report (especially security controls)
3. Assess trading volume and liquidity
4. Evaluate historical uptime and reliability
5. Check for regulatory actions/enforcement
6. Legal review of master agreement
7. Present to Investment Committee for approval

- Quarterly license status verification
- Annual SOC 2 report review
- Continuous news/regulatory monitoring
- Annual comprehensive reassessment

TIER 3: CUSTODY PROVIDERS

Required Documentation:
□ Qualified custodian status/regulatory charter
□ SOC 2 Type II report
□ Insurance coverage (crime, E&O, cyber)
□ Key management procedures
□ Business continuity/disaster recovery plans
□ Audit committee report
□ Segregation of assets documentation
□ Financial statements

1. Verify qualified custodian status
2. Review insurance coverage limits and exclusions
3. Assess key management security (HSM, multi-sig)
4. Evaluate disaster recovery capabilities
5. Review segregation of client assets
6. On-site visit (for material relationships)
7. Present to Audit Committee/Board for approval

- Quarterly SOC 2/security review
- Annual insurance verification
- Continuous operational monitoring
- Annual on-site review (material relationships)

ONGOING MONITORING FRAMEWORK:

- Transaction settlement confirmation
- Operational status (system availability)
- News alerts for adverse developments
- Position reconciliation

- Exposure levels vs. limits
- Settlement timing trends
- Issue tracking and resolution

- Stablecoin reserve attestations
- Performance metrics
- Incident summary
- Limit utilization

- Comprehensive counterparty review
- Financial health assessment
- Regulatory status verification
- Contract compliance

- Full due diligence refresh
- SOC 2 report review
- Insurance renewal verification
- Counterparty scorecard update
- Investment Committee approval renewal

TRIGGER-BASED REVIEW:

• Regulatory enforcement action
• Credit rating downgrade
• Key personnel departure
• Operational incident
• Significant negative news
• Reserve attestation concerns
• Redemption delays

COUNTERPARTY SCORECARD:

1. Regulatory Status (25%): Licenses, compliance, enforcement
2. Financial Strength (20%): Capital, profitability, growth
3. Operational Capability (20%): Uptime, settlement, service
4. Security (20%): SOC 2, insurance, incidents
5. Strategic Fit (15%): Product alignment, relationship

Rating Scale: 1-5 (5 = Excellent)
Minimum for Approval: 3.0 average, no category below 2.0
Watch List: 3.0-3.5 average
Full Review Trigger: Any category falls below 2.0

---

TRANSACTION AUTHORIZATION:

MULTI-PERSON AUTHORIZATION:

Transaction Value → Approval Required:
<$500K → Single authorized person
$500K-$2M → Two authorized persons
$2M-$10M → Treasurer + CFO

$10M → Treasurer + CFO + Investment Committee Chair

• Digital signature (hardware token required)
• Written approval (email from authorized address)
• Meeting minutes (for Committee approvals)

SEGREGATION OF DUTIES:

• Initiate transaction AND approve transaction

• Approve transaction AND execute transaction

• Execute transaction AND reconcile transaction

• Manage keys AND authorize transactions

• Onboard counterparty AND approve transactions with that counterparty

• Three authorized transaction initiators

• Two authorized approvers (Treasurer, CFO)

• Separate reconciliation function

• Independent limit monitoring

EXECUTION CONTROLS:

Pre-Execution Checklist:
□ Transaction within approved policy
□ Counterparty is approved and in good standing
□ Transaction within counterparty limit
□ Transaction within daily/monthly limits
□ Proper authorization obtained
□ FX rate acceptable (if applicable)
□ Settlement instructions verified
□ Sanctions screening complete

Post-Execution Verification:
□ Transaction ID recorded
□ Blockchain confirmation obtained (for crypto)
□ Settlement confirmed
□ Position updated in treasury system
□ Documentation filed
```

CUSTODY POLICY:

CUSTODY REQUIREMENTS:

• All stablecoin holdings >$1M

• Any holdings >30 days

• All reserve positions

• Operational balances <$500K

• Temporary positions <48 hours

• With approved hardware wallet only

• Multi-signature required

• Qualified custodian status

• SOC 2 Type II certification

• $[X]M minimum insurance coverage

• Segregated client accounts

• 24/7 operational capability

• Proven disaster recovery

KEY MANAGEMENT:

• Minimum 2-of-3 for all transactions

• 3-of-5 for transactions >$5M

• Geographic distribution of key holders

• No single person holds majority of keys

• Hardware Security Modules (HSM) for custody

• Hardware wallets (Ledger/Trezor) for operational

• Seed phrases in secure, separate locations

• Regular key ceremony documentation

• Background check completed

• Training certification

• Acknowledgment of responsibility

• Regular attestation of key custody

• Documented recovery procedure

• Tested annually

• Board member key share for emergency

• Legal counsel involvement required

ACCESS CONTROLS:

• Role-based access control

• Multi-factor authentication required

• Session timeout (15 minutes)

• Quarterly access review

• Immediate termination upon role change

• Secure facilities for key storage

• Logged entry/exit

• Two-person integrity for key access

• Annual physical security review

RECONCILIATION REQUIREMENTS:

- Blockchain balance vs. internal records
- Custodian statement vs. internal records
- Transaction logs vs. authorizations
- Settlement confirmations vs. transactions

Performed by: Treasury Operations (not transaction initiators)
Reviewed by: Treasurer or delegate
Deadline: T+1 by 10:00 AM local time
Documentation: Signed reconciliation report

- Aggregate position verification
- Limit utilization calculation
- Exception investigation and resolution
- Counterparty exposure calculation

Performed by: Treasury Operations
Reviewed by: Risk Management
Deadline: Monday COB for prior week
Documentation: Weekly position report

- Full position report for all digital assets
- Counterparty exposure vs. limits
- P&L calculation (if applicable)
- Fee analysis
- Compliance checklist completion

Performed by: Treasury Operations
Reviewed by: Treasurer, CFO
Reported to: Investment Committee
Deadline: M+5 business days

- External statement reconciliation
- Regulatory compliance verification
- Policy compliance attestation
- Control self-assessment

Performed by: Treasury Operations + Compliance
Reviewed by: Internal Audit
Reported to: Audit Committee
Deadline: Q+15 business days

EXCEPTION MANAGEMENT:

• Category A: Breaks >$10K - Same day resolution required

• Category B: Breaks $1K-$10K - T+1 resolution

• Category C: Breaks <$1K - Weekly batch resolution

• Unresolved Category A: Treasurer immediately

• Pattern of exceptions: Risk Management review

• Counterparty-related: Counterparty review trigger

---

COMPLIANCE REQUIREMENTS:

TAX COMPLIANCE:

• Cost basis for all acquisitions

• Fair market value at disposition

• Date/time of all transactions

• Transaction purpose documentation

• Third-party reports (1099s, etc.)

• Form 8949 for dispositions (as applicable)

• FBAR for foreign accounts >$10K (if applicable)

• State tax filings as required

• Corporate tax integration

Responsibility: Tax Department with Treasury input
Timeline: Per standard tax calendar
Oversight: CFO/Tax Director

AML/KYC COMPLIANCE:

• Sanctions screening on all counterparties

• OFAC SDN list monitoring

• Suspicious activity awareness

• Geographic restriction enforcement

• Confirm counterparty AML program

• Obtain compliance certifications

• Review for enforcement actions

• Annual recertification

• Counterparty KYC files maintained

• Transaction purpose documentation

• Sanctions screening records

• Compliance attestations

ACCOUNTING COMPLIANCE:

• Methodology documented

• Source pricing established

• Valuation frequency defined

• Impairment testing (if applicable)

• Balance sheet classification

• Disclosure requirements

• MD&A considerations

• Audit support documentation

Responsibility: Controller with Treasury input
Oversight: Audit Committee
```

REPORTING STRUCTURE:

MANAGEMENT REPORTING (Weekly):

• Current positions by asset type
• Week-over-week changes
• Limit utilization summary
• Transaction volume
• Settlement status
• Exception summary

Audience: CFO, Treasurer
Prepared by: Treasury Operations
Format: 1-page dashboard

COMMITTEE REPORTING (Monthly):

• Position summary and trends
• Counterparty exposure
• Limit compliance
• Transaction activity summary
• Market conditions
• Risk indicators
• Issues and exceptions
• Recommendations

Audience: Investment Committee
Prepared by: Treasurer
Format: 3-5 page report with appendices

BOARD REPORTING (Quarterly):

• Policy compliance attestation
• Aggregate exposure and trends
• Counterparty status summary
• Regulatory developments
• Control testing results
• Incident summary
• Strategic recommendations

Audience: Audit Committee, Board
Prepared by: CFO/Treasurer
Format: Executive summary (2-3 pages) with detail appendix

REGULATORY REPORTING:

• Tax filings per schedule
• Any required regulatory filings
• Examination responses
• Policy updates to regulators (if required)

Responsibility: Compliance with Treasury input
Oversight: Legal

EXCEPTION/INCIDENT REPORTING:

• Limit breach
• Unauthorized transaction attempt
• Custody/key incident
• Counterparty issue
• Regulatory inquiry
• System failure affecting operations

Escalation Path:
Incident → Treasurer → CFO → Committee Chair (if material)

---

POLICY APPROVAL ROADMAP:

PHASE 1: PREPARATION (4-6 weeks)

- Draft master policy
- Draft operational procedures
- Draft risk limits
- Internal Treasury review

- Legal counsel review
- Regulatory compliance confirmation
- Contract language alignment
- Liability considerations

- Risk Management input
- Compliance sign-off
- Internal Audit preview
- Revisions and finalization

PHASE 2: MANAGEMENT APPROVAL (2-3 weeks)

- Present to CFO
- Address questions/concerns
- Obtain CFO sponsorship

- Present to relevant executives
- Cross-functional input
- Finalize for Committee

PHASE 3: COMMITTEE APPROVAL (2-4 weeks)

- Present strategy and policy
- Risk limit approval
- Counterparty framework approval
- Questions and revisions

- Control framework review
- Custody policy approval
- Compliance framework sign-off

- Strategic rationale
- Risk acceptance
- Policy ratification

TOTAL TIMELINE: 10-14 weeks typical
(May be longer for more conservative organizations)

PRESENTING TO LEADERSHIP:

INVESTMENT COMMITTEE PRESENTATION:

1. Strategic Rationale (5 min)

2. Risk Assessment (10 min)

3. Product Overview (10 min)

4. Policy Framework (15 min)

5. Implementation Plan (5 min)

6. Recommendation (5 min)

KEY MESSAGES:

✓ This is measured, not speculative
✓ Risks are identified and managed
✓ Controls are institutional-grade
✓ Benefits are quantified conservatively
✓ We can exit if needed
✓ Policy provides clear guardrails

ANTICIPATE QUESTIONS:

• Reserve backing, regulatory oversight, redemption rights

• Diversification across stablecoins

• Limit on total exposure

• Current status is clear (explain)

• Trajectory is toward more clarity

• Flexibility built into approach

• Industry adoption status

• Specific examples if available

• First-mover vs. fast-follower analysis

• Honest assessment of downside

• Mitigation measures

• Exit strategy

• Team capabilities

• Training plan

• External support (legal, consultants)

POLICY LIFECYCLE:

ANNUAL REVIEW CYCLE:

• Policy effectiveness review

• Control testing results

• Incident analysis

• Procedure updates

• Limit appropriateness

• Utilization analysis

• Market condition changes

• Limit adjustments

• Annual due diligence

• Scorecard updates

• Relationship assessment

• Counterparty changes

• Incorporate changes

• Legal/Compliance review

• Committee approval

• Board ratification (if material changes)

TRIGGER-BASED REVIEWS:

• Significant regulatory change

• Material counterparty issue

• Control failure

• Significant loss event

• Strategic change in usage

• Policy update if needed

• Expedited approval process

• Communication to stakeholders

VERSION CONTROL:

• All policies version-numbered
• Change log maintained
• Superseded versions archived
• Effective date clearly stated
• Distribution list maintained

TRAINING REQUIREMENTS:

• All policy participants before go-live

• Covers all policy elements

• Includes practical scenarios

• Documented completion

• Annual refresher required

• Update training for material changes

• New employee onboarding

• Training records maintained

---

✅ Board-level approval is essential. Digital assets represent new risk—board acceptance of that risk (with limits) is foundational.

✅ Written policies are non-negotiable. "We have an understanding" doesn't survive audit, examination, or incident.

✅ Segregation of duties must be maintained. The person initiating cannot be the person approving—standard control principle applies.

✅ Documentation enables defense. If something goes wrong, "we followed our policy" is your protection.

⚠️ Specific limits depend on your organization. A $10B company's limits differ from a $500M company's limits.

⚠️ Committee structure can vary. Existing governance can often be extended rather than creating new committees.

⚠️ Approval thresholds should match existing norms. Align with how your company approves other treasury activities.

⚠️ Phasing allows learning. Policies can start conservative and expand with experience.

🔴 Proceeding without policy. "We'll document it later" creates liability and control gaps.

🔴 Policies that are too restrictive to use. If policy requires CFO approval for every transaction, operations stall.

🔴 Policies that aren't followed. Unenforced policies are worse than no policies—they demonstrate failed controls.

Policy development takes time—typically 10-14 weeks from draft to board approval. This feels slow when you're eager to capture benefits, but it's essential groundwork. A strong policy framework enables confident execution, protects the organization, and demonstrates institutional maturity. The investment in policy is an investment in sustainability.

---

Assignment:
Create a draft Digital Asset Treasury Policy for your company (or hypothetical company from previous lessons). This will be the core document governing your digital asset operations.

Requirements:

Part 1: Policy Document (5-7 pages)

Create a complete policy document including:

1. Purpose and Scope (0.5 page)

2. Governance Structure (1 page)

3. Permitted Activities (1 page)

4. Risk Limits (1 page)

5. Counterparty Requirements (1 page)

6. Operational Controls (1 page)

7. Compliance and Reporting (0.5 page)

Part 2: Approval Strategy Memo (1-2 pages)

• Executive summary of proposal

• Key risks and mitigations

• Approval timeline

• Resources required

• Completeness of policy components (35%)

• Appropriateness of limits and controls (25%)

• Alignment with governance principles (20%)

• Quality of approval strategy (20%)

Time Investment: 4-5 hours
Value: This deliverable creates the foundational document for implementation.

---

For Next Lesson:
With policy framework complete, we move to Phase 2: Product-specific implementation. Lesson 6 focuses on RLUSD for treasury operations.

---

You have now completed Phase 1 of this course, establishing the foundational knowledge for digital treasury:

Phase 2 Preview: Lessons 6-11 will cover product-by-product implementation—RLUSD, ODL, Liquidity Hub, Custody, Hybrid Strategies, and Cost-Benefit Analysis.

---

End of Lesson 5

Total words: ~6,800
Estimated completion time: 60 minutes reading + 4-5 hours for deliverable

---

Course 57: Corporate Treasury with Ripple Products
Lesson 5 of 15
XRP Academy - The Khan Academy of Digital Finance