When a bank applies for a licence, regulators know exactly what to look for. Capital reserves, liquidity ratios, governance structures, AML programmes, credit risk management, operational resilience: decades of supervisory practice have produced detailed assessment methodologies for each of these areas. The examiner arrives with a well-defined list of evidence to collect.
However, when a Virtual Asset Service Provider (VASP) applies for a licence, the examiner’s list of evidence to collect has a gap. The application describes multi-party computation signing, hardware security modules, cold storage vaults, threshold signature schemes, and key material backup procedures with tamper-evident seals. The regulator understands that these controls matter, that a failure could result in the permanent, irreversible loss of customer assets, but may not have the technical skills and framework to assess whether what the applicant describes is adequate, or the supervisory methodology to verify that it remains adequate after the licence is granted.
This article examines how regulators can close that gap by using the CryptoCurrency Security Standard (CCSS), drawing on the practical example of Vanuatu’s Financial Services Commission, which has embedded CCSS into a comprehensive cybersecurity audit framework for licensed VASPs.
The Key Management Gap in Financial Regulation
The cybersecurity frameworks that regulators typically reference (ISO/IEC 27001, NIST CSF, SOC 2) were designed for general information security. They address access control, encryption, monitoring, incident response, and governance across all types of information assets. They are valuable, and most VASPs should maintain certifications against one or more of them.
What general cybersecurity frameworks do not address is the specific challenge of managing cryptographic key material that directly controls financial assets on a blockchain. The risks differ from those in traditional information security in several respects.
Blockchain
Blockchain transactions are irreversible: a compromised key results in permanent loss rather than a reversible error. Key material is the asset: unlike a database password (which provides access to data), a private key is equivalent to the asset itself. Custody models are cryptographic.
The security of customer funds depends entirely on how key material is generated, stored, distributed, and used. And the operational procedures (key ceremonies, multi-party signing, inspection of backup key material, geographic distribution of key shares) have no equivalent in conventional IT security.
CCSS
CCSS, published by C4 (CryptoCurrency Certification Consortium), was developed specifically for these risks. It covers 59 requirements across 10 aspects, spanning the full lifecycle of cryptographic key material from generation through destruction.
CCSS operates at three progressive levels (Level 1 baseline, Level 2 enhanced, Level 3 comprehensive), requires independent third-party auditing by an accredited CCSSA with peer review by a second CCSSA, and mandates annual renewal. At the time of writing, it is the only independently audited certification standard designed specifically for cryptocurrency key management.
For regulators, CCSS provides a ready-made assessment framework for the one area of VASP cybersecurity that general standards do not adequately cover, eliminating the need to develop a key management assessment methodology from first principles.
Practical Approaches to Regulatory Adoption
How a regulator incorporates CCSS depends on the jurisdiction’s legislative authority, the maturity of its VASP regulatory framework, and the supervisory resources available. There are four practical approaches, ranging from lightweight to comprehensive.
The simplest approach is to treat CCSS certification as a supervisory input: evidence that the regulator accepts during licence examinations or ongoing supervision as demonstrating that the VASP’s key management controls have been independently assessed.
The regulator does not mandate CCSS but recognises it as relevant evidence. This suits regulators with limited technical cybersecurity capacity who want to rely on external assurance without prescribing specific standards.
A step further is to use CCSS certification as a risk-differentiation mechanism. VASPs that hold current CCSS certification receive a proportionately lighter supervisory touch on key management controls; those without it receive more intensive scrutiny. This creates a market incentive for certification without making it a formal requirement.
More prescriptively, a regulator can establish CCSS certification at a specified level as a licensing condition, arguably removing ambiguity about what “adequate key management” means and providing a clear, verifiable baseline. The regulator should recognise that CCSS covers key management specifically and supplement it with requirements for network security, application security, incident response, and other domains.
The most comprehensive approach is to build CCSS into a broader cybersecurity audit methodology that the regulator designs for its specific supervisory context. This is what Vanuatu’s VFSC has done, and it represents the most developed model of regulatory CCSS integration currently in operation.
How Vanuatu Built CCSS into Its VASP Supervision Framework
The VFSC’s Cybersecurity Audit Methodology, developed under the Virtual Assets Services Providers Act No. 3 of 2025, provides a practical template that other jurisdictions can learn from. It does not simply require CCSS certification and leave it at that. It integrates CCSS into a structured supervisory lifecycle with continuous monitoring, risk-based supervision tiers, and a comprehensive findings and maturity framework.
Scoping by Custody Risk
The methodology classifies VASP applicants into two cybersecurity types. Type 1 applicants do not hold, control, or have access to customer key material; they cannot directly or indirectly affect the security of customer funds. Non-custodial derivatives traders, for example, fall into this category.
Type 2 applicants can directly or indirectly affect the security of customer assets by holding, accessing, or controlling key materials: exchanges, custody providers, staking providers, stablecoin issuers, and token issuers with administrative authority over customer assets.
The CCSS-aligned control testing procedures apply only to Type 2 applicants. This is a sensible design that other regulators should consider: concentrating intensive scrutiny of key management on the entities whose activities create custody risk, rather than applying uniform requirements across all VASP licence classes.
Three Assurance Frameworks, One Methodology
The VFSC methodology is built on three pillars. ISAE 3000 (Revised) provides the assurance standard foundation: the audit is structured as a reasonable assurance engagement with practitioner independence requirements, giving the output a recognised professional standing.
CCSS v9 provides the key management control testing procedures, with VFSC requiring a minimum of Level II compliance for Type 2 applicants across all 10 CCSS aspects.
Supplementary control domains extend the assessment into areas CCSS was not designed to cover:
- Network and infrastructure security
- Application security
- Incident response beyond key compromise
- Business continuity
- Third-party and supply chain risk management
- AI governance and regulatory compliance controls
This three-pillar design addresses the limitation that CCSS alone does not cover the full cybersecurity posture. By layering CCSS (for key management) over ISAE 3000 (for assurance quality) and adding supplementary domains (for breadth), the VFSC has developed a methodology that is both sufficiently specific to cryptocurrency risks and broad enough for comprehensive supervisory coverage.
A Supervision Lifecycle, Not a One-Off Audit
The methodology operates as a continuous lifecycle comprising three phases.
The baseline cybersecurity audit occurs during the licensing process. It assesses control design and implementation readiness at a point in time, covers all people, processes, and technology components within the audit boundary, and produces both a cybersecurity maturity rating (across five levels from Initial to Optimising) and a preliminary supervision level recommendation.
Critically, the presence of Critical or High findings during the baseline audit will prevent licence approval until the entity remediates those findings to the VFSC’s satisfaction.
Between audits, continuous monitoring maintains ongoing assurance. Licensed VASPs must submit periodic compliance reports (quarterly under standard supervision, monthly under enhanced, weekly or bi-weekly under intensive), notify the VFSC of material cybersecurity incidents within 24 hours, and notify the VFSC before implementing material changes to their key management architecture or custody arrangements.
The cybersecurity auditor conducts desk-based reviews and event-driven assessments throughout this period.
The annual cybersecurity audit then provides periodic independent assurance, transitioning from the baseline’s design assessment to evaluating whether the controls have operated effectively over the preceding twelve months. The scope and intensity of the annual audit are determined by the VASP’s assigned supervision level.
Risk-Proportionate Supervision Tiers
The methodology assigns each VASP to one of three supervision levels based on a structured risk score derived from the audit findings.
VASPs under standard supervision (risk score 1 to 6) demonstrated a strong cybersecurity posture at baseline with no critical or high findings. Their annual audit is a focused review (Tier 1): targeted testing of previously identified issues, confirmation of continued CCSS compliance, and assessment of any material changes. Compliance reporting is quarterly.
VASPs under enhanced supervision (risk score 7 to 15) have elevated risk, perhaps due to unresolved findings, architecture changes, or a cybersecurity incident. Their annual audit is a full-scope standard audit (Tier 2) covering all eight control domains with a complete CCSS v9 reaudit. Compliance reporting is monthly.
VASPs under intensive supervision (risk score 16 to 25) have serious cybersecurity concerns. Their annual audit is a comprehensive audit (Tier 3) with extended testing: live key ceremony observation, verification of key share integrity, testing of the key compromise recovery protocol, and full-population testing for critical controls. Compliance reporting is weekly or bi-weekly. This tiered structure is one of the most transferable elements of the VFSC model. It allows a regulator with finite resources to direct intensive oversight where the risk is greatest while maintaining adequate assurance across the full licensed population.
Maturity Beyond Compliance
Beyond pass/fail findings, the VFSC methodology requires the auditor to assess the VASP’s overall cybersecurity maturity across five levels: Initial (ad hoc and reactive), Developing (partially documented, inconsistently applied), Defined (documented and consistently applied),
Managed (measured, monitored, and continuously improved), and Optimising (industry-leading and proactive). This maturity assessment adds a dimension that compliance testing alone does not capture. Two VASPs can achieve the same CCSS level and have the same number of findings, yet operate at fundamentally different levels of security maturity.
The VASP at the Managed level has embedded cybersecurity into its operational culture and is on a trajectory of continuous improvement. The VASP at the Initial level has addressed the minimum controls to pass the audit but is likely to regress between audit cycles. The regulator’s supervisory response should differ accordingly, and the maturity assessment provides the basis for that differentiation.
What Regulators Should Request from CCSS-Certified VASPs
Regardless of which adoption model a regulator chooses, understanding the CCSS deliverables helps regulators know what to ask for during supervisory examinations.
The Certificate of Compliance confirms the certified system, the compliance level achieved, the audit period, and the issuing CCSSA.
Regulators can verify any certificate against C4’s public registry. If a VASP claims CCSS certification but does not appear in the registry, it is not certified.
The Summary Report on Compliance (SRoC) captures the scope and outcome of the certification in a structured format comparable to a PCI DSS Attestation of Compliance. It does not contain sensitive security details. Distribution is controlled by the entity and normally provided under an NDA.
The redacted Report on Compliance provides the most substantive view available to external parties: a detailed account of what was assessed, which evidence-gathering techniques were used, and how the CCSSA reached the finding status for each requirement, with sensitive information (architecture details, key material locations, personnel identities) removed. This is the deliverable that gives regulators confidence in the substance of the assessment, not just the outcome.
The CCSS Responsibility Matrix is particularly relevant for VASPs that use third-party custody providers or MPC services. It documents which CCSS requirements the VASP controls directly, which the service provider controls, and which are shared. For regulators assessing custody arrangements with outsourced components, this matrix clarifies where the accountability sits.
Takeaways for Regulators
The VFSC experience, and the broader evolution of CCSS as a regulatory tool, suggest five practical takeaways.
First, regulators do not need to develop key management assessment methodologies from scratch. CCSS provides the framework. The regulator’s role is to set the policy: which level to require, what supplementary controls to add, and how to structure the ongoing supervisory relationship.
Second, CCSS is necessary but not sufficient on its own. Key management is the most cryptocurrency-specific component of VASP cybersecurity, but a regulator’s supervisory interest extends across network security, application security, incident response, business continuity, and governance. Supplementary control domains are essential.
Third, risk-proportionate supervision is more effective than a uniform approach. A tiered model that adjusts audit scope, reporting frequency, and supervisory intensity based on the entity’s risk profile directs resources where they are needed most.
Fourth, continuous oversight between audits matters as much as the audits themselves. Periodic compliance reporting, incident notification obligations, and material change notifications provide the regulator with year-round visibility rather than a 12-month gap between assessments.
Fifth, four evidence-gathering techniques (reviewing documentation, interviewing personnel, inspecting system configurations, and observing processes) in combination provide far stronger assurance than any single technique alone. Controls that are documented, understood by the people who operate them, technically configured correctly, and actually followed in practice are controls that are genuinely effective.
Where to Start
For regulators beginning to explore CCSS integration, the practical first step is to assess which of the four adoption models fits the jurisdiction’s current legislative framework and supervisory capacity. Regulators with established VASP licensing regimes can incorporate CCSS requirements into their existing frameworks. Jurisdictions developing new VASP legislation have the opportunity to embed CCSS from the outset, as Vanuatu has done.
The C4 CCSS Steering Committee welcomes engagement from regulators and can provide input on how the standard applies to specific regulatory contexts. As more jurisdictions develop their approaches, there is an opportunity for greater international consistency in how cryptocurrency key management is supervised, which benefits both regulators and the entities they regulate.
The technology that VASPs use to manage customer assets is specialised. The assurance framework should be equally specialised. CCSS provides that specialisation for key management, and the VFSC’s methodology demonstrates that it can be integrated into a comprehensive, risk-proportionate supervisory framework that works in practice.
Did you know Zanarc provides CCSS readiness assessments, CCSS audits, and regulatory advisory services for VASPs, cryptocurrency exchanges, custodians, and financial regulators? Got a question? Contact us.