Standard 1: Fiduciary Governance

the standard firms must establish and maintain effective governance structures this includes board oversight with appropriate expertise and authority over operations, risk taking, and strategic direction; a clear organizational structure with defined roles, responsibilities, and reporting lines; and comprehensive policies and procedures covering all operational areas firms must implement succession planning and knowledge management for critical positions to mitigate key person risk and conduct regular assessments and monitoring of governance effectiveness with documented review processes introduction fiduciary governance defines who has the authority to make decisions, how accountability flows within the organization, and whether oversight functions independently it determines if there is a single point of failure in investment strategy, operational execution, or asset control—key risks that institutional allocators consider before investing capital standard 1 requires firms to demonstrate that no single person controls investment decisions, operational processes, or asset custody without oversight this standard addresses three core governance issues that institutional allocators won’t accept boards lacking independence or digital asset expertise, management structures that concentrate power without checks, and policies that are written but ineffective in practice maintaining this standard involves establishing independent board oversight with digital asset expertise, developing professional management with distinct roles, enforcing policies with documented compliance, planning succession for key roles, and forming committees that challenge rather than merely approve management decisions firms that do not meet these requirements face significant risks from key personnel and operational vulnerabilities, disqualifying them from attracting institutional capital 1 1 board composition and structure a board of directors oversees management, offers strategic advice, and has fiduciary responsibilities in digital assets, boards need to know basic investment rules and also understand risks like smart contract flaws, how assets are stored, and protocol issues the makeup of the board shows whether it truly supervises or just meets legal requirements 1 1 1 board size and independence your board should have at least three directors if the assets under management go over $100 million, increase the number of directors to five or seven at least one, preferably two, directors should be truly independent this means they should not have any important relationships, family ties, or financial dependence on the company independence means the director can question management freely without worrying about losing pay or important relationships directors who get consulting fees, work as outside lawyers, or have family members working for the company are not considered independent essential board expertise includes traditional asset management experience establishes credibility with institutional allocators and provides context for adapting proven controls to digital assets digital asset operational proficiency enables meaningful oversight of blockchain specific risks, custody architectures, and protocol evaluation enterprise risk management capability provides frameworks for complex threat assessment, control design, and incident response regulatory and legal experience helps navigate evolving digital asset regulation across multiple jurisdictions and compliance frameworks traditional finance skills alone are not enough; understanding digital assets is also important a director with many years of hedge fund experience but no knowledge of custody security, smart contract risks, or defi protocols cannot effectively oversee digital assets on the other hand, someone with only crypto experience and no understanding of institutional rules may miss important aspects like governance, regulations, and operational procedures 1 1 2 committee structure by firm size committee formation must match the company's growth and complexity creating committees too early can cause unnecessary bureaucracy, while waiting too long can result in oversight gaps proper timing ensures effective governance and oversight in digital asset investments table 1 committee structure by aum level true 184,477 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type 1 1 3 meeting cadence and documentation effective board meetings are essential for good oversight and operational efficiency for investment portfolios under $50 million in assets under management (aum), hold quarterly board meetings and provide monthly written updates these updates should include performance data, compliance status, and operational metrics for portfolios between $50 million and $250 million, increase the frequency to quarterly board meetings and add monthly committee meetings to review specific areas in detail for portfolios exceeding $250 million, conduct monthly board meetings to manage the increased complexity and meet institutional expectations this structure ensures proper oversight while maintaining operational efficiency across different asset sizes every board meeting should address management performance update covering financial results, operational kpis, key hires and departures, and strategic initiative progress investment performance analysis with detailed risk metrics, including var, drawdown analysis, concentration limits, and performance attribution compliance and regulatory updates detailing rule changes, examination activity, violation logs, and remediation status technology and security status reviewing infrastructure changes, security incidents, vulnerability assessments, and disaster recovery testing strategic initiative tracking covering new product development, fundraising activity, service provider changes, and material partnerships executive session conducted without management present to discuss executive performance, compensation, succession planning, and any concerns clear documentation is essential for effective governance always distribute detailed board packages five to seven days before meetings these should include performance reports, risk dashboards, compliance updates, and financial statements meeting minutes must record who attended, key discussions, all decisions with reasons, any dissenting opinions, and action items with assigned owners and deadlines follow up on action items to ensure completion and report progress at future meetings poor documentation undermines governance and suggests superficial oversight rather than genuine management takeaway message most fiduciary breakdowns in digital asset funds stem not from strategy failure but from concentrated authority no oversight model can function effectively when one person controls trading, custody, and cash movement boards that meet infrequently or lack digital asset expertise cannot provide meaningful oversight of protocol risks, smart contract vulnerabilities, or custody architecture a best practice is ensuring at least one board member can engage substantively on digital asset operations—not just investment thesis, but custody mechanics, key management, and protocol level risks during diligence, allocators often assess whether directors can articulate specific digital asset risks without deferring entirely to management generic board credentials without crypto specific knowledge yield governance in name only 1 2 management structure and accountability the management structure of an organization is crucial in determining how effectively it can grow and adapt a well designed structure ensures that operations can expand systematically, rather than relying heavily on specific individuals when leadership roles such as ceo and cio are combined with operational control, it creates a significant risk this setup can lead to a single point of failure, affecting strategy, execution, and risk management for institutional investors, this is a concern because they prefer to invest in firms where authority is balanced clear checks and balances are essential to ensure accountability and reduce risks therefore, investment managers should prioritize organizations with transparent and balanced management structures to safeguard their investments and promote sustainable growth 1 2 1 core leadership roles the executive leadership structure should focus on four leading roles, each bearing unique responsibilities essential for organizational success these roles need not all be filled immediately at launch, but firms must demonstrate clear progression toward complete separation as assets and complexity grow chief executive officer (ceo) the ceo is ultimately responsible for the firm's strategy, business development, capital raising, board relations, and organizational culture this role focuses externally on growth while ensuring internal resources align with strategic priorities the ceo should not control day to day investment decisions or operational execution—concentrating strategic and tactical authority eliminates the necessary tension between growth ambitions and risk management chief investment officer (cio) the cio directs investment strategy, portfolio construction, and investment team management responsibilities include strategy development, risk budget allocation, leadership of the investment committee, oversight of the research process, and performance analysis the cio should not have unilateral trade execution authority, custody control, or operational oversight—separating investment authority from operational execution creates an essential control structure chief operating officer (coo) the coo manages operational infrastructure, service provider relationships, and business operations this includes trade operations, reconciliations, fund administration coordination, valuation processes, investor reporting, and technology oversight the coo provides independent verification of investment activities and ensures operational controls function effectively in emerging firms, a strong operations professional with segregation from investment authority proves more valuable than a ceo cio who also manages operations chief compliance officer (cco) the cco designs, implements, and monitors the compliance program this role requires independence from investment and operational pressures—reporting directly to the board or ceo rather than the cio responsibilities include regulatory filing management, policy development and enforcement, examination coordination, violation investigation, and remediation oversight the cco cannot report to the person whose activities require monitoring—structural independence enables effective compliance oversight 1 2 2 scaling leadership as firms grow the leadership structure should evolve as the firm expands, gradually assigning responsibilities to avoid conflicts of interest the pace of this development depends on asset growth, the complexity of strategies, and investor requirements for institutional investors, it is important to demonstrate clear progress toward fully separating roles to ensure transparency and accountability table 2 leadership team structure true 182,479 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type 1 2 3 organizational design principles effective organizational design should include clear reporting lines, delegated authority, and proper documentation the following principles provide guidance on structuring organizations, regardless of their size no individual controls investment decisions and operational execution the person making investment decisions should not also execute trades, control custody, or manage cash operations this separation creates natural verification points and eliminates single point fraud risk clear escalation hierarchies for exceptions document who can approve exceptions to policies, limits, and standard procedures ceo discretion to override controls eliminates the value of those controls material exceptions require board notification or approval, depending on significance written position descriptions with approval authorities every role should have documented responsibilities and approval limits vague authorities create confusion during operational stress clear documentation enables succession planning and training segregation of duties for critical functions separate individuals should initiate transactions, approve transactions, and reconcile results the same person cannot perform trade initiation, custody control, and reconciliation without independent verification independent compliance and risk functions compliance and risk management require independence from business pressures these functions report to the board or the ceo—never to the individuals whose activities they monitor performance incentives should not conflict with control effectiveness takeaway message a primary management failure is the founder ceo cio who also controls operations and technology, creating a single point of failure across decision making, execution, and risk management institutional allocators are unlikely to invest where one person makes investment decisions, executes trades, controls custody, and manages cash without independent oversight best practice is establishing clear segregation even at small scale—if full role separation isn’t feasible, ensure no single individual can complete critical processes (especially asset movements) without independent verification a common diligence question is “if your cio is unavailable for 30 days, who specifically performs each of their critical functions?” having documented answers with named individuals and written authority demonstrates operational maturity 1 3 policy framework and documentation policies turn governance principles into clear operational steps good policies should specify what actions are needed, who is responsible, how often controls should be checked, what records show compliance, and who can approve exceptions vague policies that only say the firm 'maintains appropriate controls' do not give clear guidance or accountability if controls are not effective 1 3 1 core policy architecture your policy framework should cover all key operational areas with enough detail to guide actions the main policies for managing institutional grade operations include compliance policy and procedures manual comprehensive document covering regulatory obligations, supervision procedures, recordkeeping requirements, and compliance testing must be reviewed and updated annually with board approval this serves as your operational rulebook for regulatory adherence code of ethics governs personal trading, conflicts of interest, gifts and entertainment, outside activities, and confidential information digital asset specific provisions must address token holdings, defi participation, protocol contributions, and governance voting all access persons must acknowledge annually investment policy statement defines investment objectives, strategy parameters, risk limits, eligible instruments, concentration limits, leverage constraints, and prohibited transactions must be specific enough to constrain discretion while flexible enough to execute strategy generic language like 'invest in digital assets' provides no meaningful constraint valuation policy establishes pricing hierarchy, source prioritization, committee processes for complex assets, and escalation procedures for pricing disputes digital assets require specific guidance for illiquid tokens, defi positions, staking derivatives, and protocol specific instruments business continuity and disaster recovery details procedures for operational disruptions, key person unavailability, technology failures, and security incidents must address custody key recovery, multi signature procedures, service provider failures, and communication protocols regular testing is required with documented results custody and security policy defines custody models, authorization procedures, key management protocols, multi signature requirements, hot/cold wallet allocations, and security reviews digital asset custody requires explicit operational procedures—generic references to 'industry standard security' prove insufficient risk management policy establishes risk appetite framework, limit structure, monitoring procedures, escalation processes, and breach protocols must address traditional risks (market, credit, liquidity, operational) and digital asset specific risks (smart contract, protocol, custody, blockchain) 1 3 2 implementation and exception management policies provide value only when implemented and enforced the gap between written policies and actual practice destroys credibility with allocators and creates regulatory liability without offering protection implementation requirements training and acknowledgment all employees must receive training on relevant policies and acknowledge understanding annually maintain training completion records and attestations monitoring and testing establish systematic testing procedures to verify policy compliance document testing methodology, frequency, sample sizes, findings, and remediation violation procedures investigate policy violations promptly, document findings, impose appropriate discipline, and implement corrective measures maintain violation logs showing issue identification, investigation, and resolution regular review and updates review policies annually or when business changes materially document review dates, changes made, and approval policies unchanged for years signal disconnection from actual operations takeaway message policies that exist only on paper create liability without providing protection the gap between documented procedures and actual practice erodes credibility faster than having acknowledged informal processes allocators typically test policy effectiveness by requesting exception logs, training records, testing reports, and violation documentation a useful self assessment “can we walk through a recent policy exception—what was requested, who approved it, what was the business rationale, and how was it documented?” firms unable to provide specific examples may signal that policies are aspirational rather than operational notably, having zero exceptions over extended periods can itself raise questions—either monitoring may be insufficient, or the policy framework may be disconnected from actual operations 1 4 succession planning and key person risk succession planning addresses what happens when critical personnel become unavailable—through departure, incapacitation, or death digital asset firms face acute key person risk because specialized knowledge often concentrates among founding team members the cio, who is the only person understanding the firm's defi strategy, creates existential risk the coo, who is the only person with custody access, creates operational risk allocators assess succession planning not through aspirational documents but through specific answers to the question 'if this person is unavailable for 30 days, who performs their responsibilities and what documentation enables continuity?' 1 4 1 critical role coverage requirements identify roles where unavailability would materially disrupt operations, investment management, or regulatory compliance for each critical role, document primary successor specific individual who assumes responsibilities during short term absence (internal or board member for small firms) knowledge documentation written procedures covering critical processes, system access requirements, key relationships, and decision frameworks access procedures methods for accessing systems, accounts, and information if the critical person becomes unavailable unexpectedly cross training evidence documentation that successors have performed critical functions, understand procedures, and can execute independently long term succession strategy recruitment pipeline, internal development programs, or board approved interim leadership for permanent departures allocator due diligence considerations institutional investors assess governance based on what firms can show, not just what they say vague answers suggest governance is only on paper, not practiced they should check if the firm’s board challenges management to ensure independence they should also evaluate if directors have the expertise to understand digital asset risks additionally, they should review whether governance practices have effectively prevented issues or simply documented problems after they occurred firms that cannot provide clear examples, respond quickly to documentation requests, or explain their governance decisions may indicate operational immaturity this approach helps ensure that governance is genuine and effective in managing digital assets, aligning with best practices for fiduciary responsibility board independence and expertise how many directors are genuinely independent—no material financial relationships, family connections, or economic dependence on the firm? what specific digital asset operational experience does each director possess? traditional finance credentials alone prove insufficient provide board meeting minutes from the past four quarters showing attendance, discussion depth, and challenges to management proposals describe a specific instance where the board rejected or significantly modified a management recommendation inability to provide examples signals rubber stamp oversight how does the board oversee custody security, smart contract risks, and protocol vulnerabilities? generic "we monitor risks" responses fail scrutiny management structure and accountability walk through the background and track record of each c suite executive what relevant failures or successes preceded their current role? who can execute trades, authorize custody movements, and override compliance controls? concentration in one person disqualifies institutional capital what happens operationally if the cio is unavailable for 30 days? inability to answer specifically reveals key person dependency how is executive compensation structured? short term incentives without meaningful deferrals signal misalignment with long term fiduciary obligations provide your organizational chart showing reporting relationships and segregation of duties circular reporting or unclear authorities indicate structural deficiencies policy effectiveness and enforcement describe a recent policy exception—what was requested, who approved it, what was the business rationale, and how was it documented? zero exceptions over extended periods suggest either inadequate monitoring or policies routinely ignored how do you verify policies reflect actual operations rather than aspirational frameworks? testing records and violation logs reveal the gap between documentation and reality provide training records and attestations for the past year incomplete records signal policies exist without implementation walk through how a specific policy evolved as your business changed static policies unchanged for years indicate governance disconnected from operations who has the authority to approve policy exceptions for different categories? unlimited ceo discretion or unclear approval hierarchies reveal inadequate controls documentary evidence requirements board meeting minutes for the past four quarters with attendance records, key discussions, votes, and action items current organizational chart showing all reporting relationships and segregation of duties complete policy library with version control, revision dates, and approval documentation training completion records and employee attestations for the past 12 months exception logs with requests, approvals, rationales, and remediation tracking succession plans with documented processes and backup coverage for critical roles common pitfalls and remediation board lacks independence or digital asset expertise directors with no operational crypto knowledge defer to management on custody, protocol, and smart contract matters—providing oversight in name only remediation recruit at least one director with hands on digital asset operational experience (not just investment exposure) define minimum meeting attendance and require documented challenge in minutes founder concentrates ceo, cio, and operational authority one person controls investment decisions, trade execution, custody, and cash movement without independent verification remediation separate investment authority from operational execution if full role separation isn't feasible, require dual authorization for all asset movements and establish a board committee with direct operational oversight policies exist but aren't enforced written procedures don't match actual practice—no training records, no testing, no exception logs remediation implement annual training with documented attestations, quarterly compliance testing with written findings, and exception logs capturing every deviation with approval and rationale committees approve without deliberation meeting minutes show unanimous approval of all proposals with no recorded discussion or challenge remediation require charters specifying committee authority to reject or modify proposals include at least one independent member minutes must document questions raised and rationale for decisions—not just outcomes no succession coverage for critical roles key person departure would leave no one able to perform essential functions—custody access, strategy execution, regulatory filings remediation identify critical roles, name specific successors, document procedures enabling handover, and test succession annually by having backups perform functions governance documents are static policies and org charts unchanged for years despite business evolution—new strategies, personnel, service providers remediation establish annual governance review with board sign off maintain version control showing revision history update within 30 days of material changes key controls & documentation true 165,165,165,166 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type