(205 ILCS 731/10-10)
Sec. 10-10. Required policies and procedures. (a) An applicant, before submitting an application, shall create and a registrant, during registration, shall maintain, implement, update, and enforce, written compliance policies and procedures for all of the following: (1) A cybersecurity program. (2) A business continuity program. (3) A disaster recovery program. (4) An anti-fraud program. (5) An anti-money laundering and countering the financing of terrorism program. (6) An operational security program. (7)(A) A program designed to ensure compliance with this Act and other laws of this |
| State or federal laws that are relevant to the digital asset business activity contemplated by the registrant with or on behalf of residents and to assist the registrant in achieving the purposes of other State laws and federal laws if violation of those laws has a remedy under this Act.
|
|
(B) At a minimum, the program described by this paragraph shall specify the policies and
|
| procedures that the registrant undertakes to minimize the risk that the registrant facilitates the exchange of unregistered securities.
|
|
(8) A conflict of interest program.
(9) A request for assistance program to comply with Section 5-20.
(10) Any other compliance program, policy, or procedure the Department establishes by
|
| rule as necessary for the protection of residents or for the safety and soundness of the registrant's business or to effectuate the purposes of this Act.
|
|
(b) A policy required by subsection (a) shall be maintained in a record and designed to be adequate for a registrant's contemplated digital asset business activity with or on behalf of residents, considering the circumstances of all participants and the safe operation of the activity. Any policy and implementing procedure shall be compatible with other policies and the procedures implementing them and not conflict with policies or procedures applicable to the registrant under other State law.
(c) A registrant's anti-fraud program shall include, at a minimum, all of the following:
(1) Identification and assessment of the material risks of its digital asset business
|
| activity related to fraud, which shall include any form of market manipulation and insider trading by the registrant, its employees, its associated persons, or its customers.
|
|
(2) Protection against any material risk related to fraud identified by the Department
|
|
(3) Periodic evaluation and revision of the anti-fraud program, policies, and
|
|
(d) A registrant's anti-money laundering and countering the financing of terrorism program shall include, at a minimum, all of the following:
(1) Identification and assessment of the material risks of its digital asset business
|
| activity related to money laundering and financing of terrorist activity.
|
|
(2) Procedures, in accordance with federal law or guidance published by federal agencies
|
| responsible for enforcing federal law, pertaining to money laundering and financing of terrorist activity.
|
|
(3) Filing reports under the Bank Secrecy Act, 31 U.S.C. 5311 et seq., or Chapter X of
|
| Title 31 of the Code of Federal Regulations and other federal or State law pertaining to the prevention or detection of money laundering or financing of terrorist activity.
|
|
(e) A registrant's operational security program shall include, at a minimum, reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of any nonpublic information or digital asset it receives, maintains, or transmits.
(f)(1) A registrant's cybersecurity program shall include, at a minimum, all of the following:
(A) Maintaining, updating, and enforcing policies and procedures designed to protect the
|
| confidentiality, integrity, and availability of the registrant's information systems and nonpublic information stored on those information systems.
|
|
(B) Implementing and maintaining a written policy or policies, approved at least
|
| annually by an executive officer or the registrant's board of directors, or an appropriate committee thereof, or equivalent governing body, setting forth the registrant's policies and procedures for the protection of its information systems and nonpublic information stored on those information systems.
|
|
(C) Designating a qualified individual responsible for overseeing and implementing the
|
| registrant's cybersecurity program and enforcing its cybersecurity policy. The individual must have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program. The individual may be employed by the registrant, one of its affiliates, or a service provider.
|
|
(2) To assist in carrying out this subsection, the Department may adopt rules to define terms used in this subsection and to establish specific requirements for the required cybersecurity program, including, but not limited to, rules related to:
(A) penetration testing and vulnerability assessment;
(B) audit trails;
(C) access privileges;
(D) application security;
(E) risk assessment;
(F) cybersecurity personnel and intelligence;
(G) affiliates and service providers;
(H) authentication;
(I) data retention;
(J) training and monitoring;
(K) encryption;
(L) incident response;
(M) notice of cybersecurity events; and
(N) any other requirement necessary and appropriate for the protection of residents or
|
| for the safety and soundness of the registrant or to effectuate the purposes of this subsection.
|
|
(g) The Department may require a registrant to file with the Department a copy of any report it makes to a federal or state authority.
(h) After the policies and procedures required under this Article are created and approved by the registrant, the registrant shall engage a qualified individual or individuals with adequate authority and experience to monitor and implement each policy and procedure, publicize it as appropriate, recommend changes as necessary, and enforce it.
(Source: P.A. 104-428, eff. 8-18-25.)
|