Skip to content
finconduit
Tool · Crypto-Exchange Operations Self-Audit

How inspection-ready
is your exchange?

A Class-3 CASP self-audit across the eight areas NCAs inspect — custody architecture, client-asset segregation, market-abuse surveillance, conflicts of interest, AML / KYT, complaints handling, ICT / DORA, and business continuity. Mark a status for each; live overall score, per-dimension bands, and the gaps to close first.

Custody Architecture

Critical gap · 0

Hot/warm/cold split, key-management ceremony, holding limits

Documented hot / warm / cold wallet split with quantified hot-wallet exposure limitsMiCA Art. 75

Hot-wallet float capped as a share of total client holdings; cold storage holds the balance under multi-party control.

Key-management ceremony documented (generation, sharding, rotation, recovery) with dual controlMiCA Art. 75

MiCA Art. 75 — secure custody policy covering key lifecycle and access governance.

Client-asset holding limits and position registers reconciled to on-chain balancesMiCA Art. 75

A register of positions per client mapped to controlled wallets, evidencing what is actually held.

Client-Asset Segregation

Critical gap · 0

Segregation, daily reconciliation, insolvency ring-fence

Client crypto-assets and funds segregated from the firm’s own assetsMiCA Art. 70

MiCA Art. 70 — client holdings held separately so they are identifiable at all times.

Daily reconciliation of internal ledger to client positions and on-chain balancesMiCA Art. 70

Breaks investigated and cleared within a defined SLA; reconciliation evidence retained.

Insolvency ring-fence: legal opinion confirming client assets are bankruptcy-remoteMiCA Art. 70

MiCA Art. 70 — client assets shielded from creditors of the CASP on insolvency.

Market-Abuse Surveillance

Critical gap · 0

Surveillance system, insider lists, STOR pipeline

Automated market-surveillance system covering insider dealing and market manipulationMiCA Art. 92

MiCA Art. 92 — arrangements to detect and prevent market abuse across listed pairs.

Insider lists maintained for non-public information ahead of listings and announcementsMiCA Art. 88

MiCA Art. 88 — control of inside information relating to crypto-assets.

STOR pipeline operational — suspicious transactions reportable to the NCA on timeMiCA Art. 92

MiCA Art. 92 — Suspicious Transaction and Order Reports filed without delay.

Conflicts of Interest

Critical gap · 0

Policy, prop-trading separation, listing-committee independence

Conflicts-of-interest policy maintained, disclosed, and reviewed at least annuallyMiCA Art. 72

MiCA Art. 72 — identify, prevent, manage, and disclose conflicts to clients.

Proprietary trading separated from client-facing and order-matching functionsMiCA Art. 72

Information barriers and separate books prevent the firm trading against client flow.

Listing committee independent from commercial and proprietary-desk influenceMiCA Art. 72

Token-listing decisions governed by an independent, documented committee.

AML / KYT

Critical gap · 0

Onboarding KYC, transaction monitoring + chain analytics, sanctions

Risk-based onboarding KYC with ongoing CDD and beneficial-ownership verificationAMLR / 6AMLD

AMLR (EU) 2024/1624 — customer due diligence proportionate to assessed risk.

Transaction monitoring with chain-analytics screening of deposit and withdrawal addressesAMLR / 6AMLD

Know-Your-Transaction controls flag exposure to illicit-source wallets and mixers.

Real-time sanctions screening of customers, counterparties, and wallet addressesAMLR / 6AMLD

AMLR — targeted financial sanctions screening at onboarding and continuously.

Complaints Handling

Critical gap · 0

Intake + SLA, decisioning timeline, NCA escalation

Free complaints-intake channel with logged acknowledgement and a defined SLAMiCA Art. 71

MiCA Art. 71 — effective and transparent procedures for prompt complaint handling.

Decisioning timeline and reasoned outcomes communicated within the published deadlineMiCA Art. 71

MiCA Art. 71 — complaints investigated and resolved within committed timelines.

NCA / out-of-court escalation route documented and disclosed to clientsMiCA Art. 71

MiCA Art. 71 — clients informed of their right to escalate unresolved complaints.

ICT / DORA

Critical gap · 0

ICT risk register, incident classification + reporting, testing

ICT risk register mapped to critical and important functions, reviewed annuallyDORA Art. 5–8

DORA — board-owned ICT risk-management framework with a maintained asset register.

Incident classification + reporting hitting 4h / 72h / 1-month notification timelinesDORA Art. 18–19

DORA Art. 18–19 — classify by impact and notify the NCA within prescribed windows.

Resilience-testing programme executed in the last 12 months with tracked remediationDORA Art. 24–25

DORA Art. 24–25 — vulnerability scans and penetration tests on critical systems.

Business Continuity

Critical gap · 0

Tested BCP, wind-down plan, third-party concentration

BCP with recovery objectives tested at least annuallyMiCA Art. 68

MiCA Art. 68 / DORA — business-continuity policy with tested recovery plans.

Orderly wind-down plan in place enabling return of client assetsMiCA Art. 68

MiCA Art. 68 — continuity and regularity of services, including orderly exit.

Third-party concentration risk assessed with documented exit / fallback strategyDORA Art. 28

DORA Art. 28 — concentration-risk identification and multi-vendor / exit strategy.

Dataset version 2026-06-02. No data is sent or stored. Computation runs locally.

Critical gap
0
/ 100 overall
Per dimension
Custody0
Client-Asset0
Market-Abuse0
Conflicts0
AML0
Complaints0
ICT0
Business0
Top 5 gaps to close

Ordered by combined dimension weight + status weakness. Closing these in this order produces the largest score uplift per hour of remediation effort.

01
Documented hot / warm / cold wallet split with quantified hot-wallet exposure limits
Custody Architecture · MiCA Art. 75
02
Client crypto-assets and funds segregated from the firm’s own assets
Client-Asset Segregation · MiCA Art. 70
03
Risk-based onboarding KYC with ongoing CDD and beneficial-ownership verification
AML / KYT · AMLR / 6AMLD
04
Automated market-surveillance system covering insider dealing and market manipulation
Market-Abuse Surveillance · MiCA Art. 92
05
Key-management ceremony documented (generation, sharding, rotation, recovery) with dual control
Custody Architecture · MiCA Art. 75
Per-dimension weakest items
Custody Architecture0 / 100
  • Documented hot / warm / cold wallet split with quantified hot-wallet exposure limits · MiCA Art. 75
  • Key-management ceremony documented (generation, sharding, rotation, recovery) with dual control · MiCA Art. 75
  • Client-asset holding limits and position registers reconciled to on-chain balances · MiCA Art. 75
Client-Asset Segregation0 / 100
  • Client crypto-assets and funds segregated from the firm’s own assets · MiCA Art. 70
  • Daily reconciliation of internal ledger to client positions and on-chain balances · MiCA Art. 70
  • Insolvency ring-fence: legal opinion confirming client assets are bankruptcy-remote · MiCA Art. 70
Market-Abuse Surveillance0 / 100
  • Automated market-surveillance system covering insider dealing and market manipulation · MiCA Art. 92
  • Insider lists maintained for non-public information ahead of listings and announcements · MiCA Art. 88
  • STOR pipeline operational — suspicious transactions reportable to the NCA on time · MiCA Art. 92
Conflicts of Interest0 / 100
  • Conflicts-of-interest policy maintained, disclosed, and reviewed at least annually · MiCA Art. 72
  • Proprietary trading separated from client-facing and order-matching functions · MiCA Art. 72
  • Listing committee independent from commercial and proprietary-desk influence · MiCA Art. 72
AML / KYT0 / 100
  • Risk-based onboarding KYC with ongoing CDD and beneficial-ownership verification · AMLR / 6AMLD
  • Transaction monitoring with chain-analytics screening of deposit and withdrawal addresses · AMLR / 6AMLD
  • Real-time sanctions screening of customers, counterparties, and wallet addresses · AMLR / 6AMLD
Complaints Handling0 / 100
  • Free complaints-intake channel with logged acknowledgement and a defined SLA · MiCA Art. 71
  • Decisioning timeline and reasoned outcomes communicated within the published deadline · MiCA Art. 71
  • NCA / out-of-court escalation route documented and disclosed to clients · MiCA Art. 71
ICT / DORA0 / 100
  • ICT risk register mapped to critical and important functions, reviewed annually · DORA Art. 5–8
  • Incident classification + reporting hitting 4h / 72h / 1-month notification timelines · DORA Art. 18–19
  • Resilience-testing programme executed in the last 12 months with tracked remediation · DORA Art. 24–25
Business Continuity0 / 100
  • BCP with recovery objectives tested at least annually · MiCA Art. 68
  • Orderly wind-down plan in place enabling return of client assets · MiCA Art. 68
  • Third-party concentration risk assessed with documented exit / fallback strategy · DORA Art. 28

For orientation only — not financial, legal, regulatory, or investment advice. Outputs are directional and based on generalised inputs. Decisions should be taken only after consultation with a qualified adviser on your specific facts — book the full assessment before acting on anything you read here.

Numbers shown exclude finconduit fees and any third-party costs (legal, audit, regulator-mandated experts, banking-relationship fees, document-translation, ongoing supervisory levies, or local agent / service-provider charges). Real-world authorisation budgets typically exceed the headline regulator-side numbers by a meaningful multiple.