Ledger Tradelink API Driven Custodian Setup Best-Practices

Ledger Tradelink (“TRADELINK”) is a technology solution that leverages Ledger Enterprise’s governance technology to help support the creation of customizable trading and settlement networks. While the collateral management and settlement conditions are fully customizable by users, Ledger recommends that custodians implement the following best practices:

Collateral accounts management

The Custodian is responsible for creating and managing the segregated wallet(s) used to store the Client’s collateral. Ledger recommends creating new dedicated accounts for managing the collateral to ensure the accounts do not contain governance rules that may not align with the settlement management conditions. For EVM-based collateral accounts, all advanced features, including Smart Contract Interaction, Contract Deployment & Message Signature should be disabled from the beginning on the collateral parent account. In the case where a previously created account is being repurposed into a TRADELINK collateral account, the Custodian should confirm that no token spending approvals or other on-chain authorizations are currently active which could compromise the security of the collateral. The Custodian can use tools such as https://revoke.cash/ to detect and revoke unnecessary token spending approvals.

Governance

The recommended Ledger Tradelink governance model relies on a 2-out-of-3 multi-party structure, typically involving an Asset Manager, a Custodian, and a Liquidity Provider. This setup prevents any one party from unilaterally controlling assets and settlement operations.

In cases where a client assumes two of the three roles (e.g., acting as both the Custodian and Asset Manager), this concentration of power undermines the governance model and introduces significant risks, such as governance failure, increased potential for fraudulent activities, and reduced trust from participants.

If you are a Custodian assuming the role of Asset Manager, it is critical to uphold the highest standards of governance and transparency. The Custodian should implement robust internal controls and independent oversight mechanisms to mitigate potential conflicts of interest and ensure that all asset management decisions are made in the best interest of clients. For instance, it may help to:

  • Establish clear policies to identify, disclose, and manage any conflicts of interest that may arise from its dual role. Regular audits should be conducted to ensure compliance with these policies.
  • Implement clear governance rules to oversee asset management activities, ensuring that decisions are made transparently and in alignment with client objectives.
  • Ensure clear segregation of duties between custodian and asset manager activities, with separate individuals and teams managing these activities. This helps avoid a single individual or team making decisions over the custody of assets and investment decisions.

To mitigate these risks, it is strongly recommended that the governance structure always involves three distinct and independent parties. The third party, often the Exchange, should be fully informed of all governance actions and formally acknowledge their role in the setup. Additionally, parties should remain responsible for knowing who they are dealing with and ensure all governance participants are clearly defined.

The Custodian should implement two separate policies to manage withdrawals on one hand and settlement requests on the other hand. The Custodian should ensure that no other policy unrelated to TRADELINK is implemented which could allow unauthorized transfers of the collateral.

Dedicated withdrawal and settlement whitelists should be added to the two policies to ensure that withdrawal and settlement transactions can only be executed within the set of authorized and trusted addresses.

General governance recommendations are as follows:

For withdrawals:

  • Withdrawal requests can be initiated by the Client through either a PSD or an API account.
  • The Custodian provides the final approval for the transaction to be signed and broadcasted.

For settlement:

  • Settlement requests can be initiated by the Exchange.
  • The settlement request must be pre-approved by the Client so that they can verify that the settlement amount matches what is expected from their recent trades.
  • Finally, the Custodian provides the final approval when they check that all predefined settlement conditions are met.
  • The number of approvals on the Client and the Custodian to approve the settlement should adhere to the risk controls agreed to by all parties in the settlement agreement.

These transaction policies ensure that no operation can be executed without the agreement of all three parties.

Once transaction policies have been agreed to by all parties and implemented by the Custodian, no edits to the governance rules should be made unless it is requested and accepted by the other parties.

The different parties can set up real-time monitoring of the governance rules to ensure that no unauthorized changes are made by the Custodian.

API access

The Custodian is responsible for creating API user accounts and providing the corresponding credentials to the different TRADELINK participants, especially to the Exchange.

The Custodian should define a process with the other participants to securely transmit API credentials and it is the responsibility of the Exchange to secure API credentials when in use.

Settlement execution

The exchange should implement mechanisms to update the mirrored collateral in real-time and especially to include changes produced by potential withdrawals.

Data accuracy

Given the decentralized nature of blockchain technology, Ledger does not guarantee that the data provided on the Ledger Vault platform is 100% accurate and perfectly synchronized with the latest state of the blockchain.

Ledger provides functionalities to synchronize account balances with the latest state of the blockchain, but the data should always be verified with external data sources to be validated.

The custodian and exchange should implement verification mechanisms to ensure that the data they use to mirror collateral and execute settlements is correct.

An example of verification would be:

  • Synchronize account using the GET /account/{id}/sync endpoint.
  • Fetch account balance using GET /account/{id}
  • Confirm balance value from other data sources (i.e. blockchain explorers) to detect any discrepancies.

Disclaimer:

TRADELINK is a technology solution, and not a financial service. Ledger provides TRADELINK with no warranty or guarantee that it will be error-free, accurate or that it will meet your expectations or requirements. Ledger is not responsible for any data provided through TRADELINK and does not express any opinion regarding it. Such data is provided for informational purposes only and without any liability whatsoever to Ledger.

Copyright © Ledger Enterprise Platform 2022. All right reserved.