Roles & Segregation (Technical)
This document covers the regulatory justification, segregation enforcement, and how roles map to system controls.
Roles
Roles define responsibilities, not headcount. One person may hold multiple roles as long as segregation rules are respected.
| Role | Primary responsibility |
|---|---|
| Customer Support | Intake of issuance/redemption requests, external communications. No approval or verification authority. |
| Compliance Officer | Confirms partner whitelist changes, signs enforcement actions, owns the redemption Compliance Hold path. Not a per-mint or per-redemption AML gate — those checks are owned by Supply Signers, supported by system-automated and -displayed information. Also sits on the Compliance Multisig (see below). |
| Treasury Officer | Confirms fiat transfers, provides fiat balance for reserve validation, sends fiat payouts. |
| System Admin | Sensitive role — access to secrets required for backoffice operations and control over access control. Infrastructure access, key management, monitoring. |
| Supply Signer | Reviews and signs on-chain supply-changing transactions. 2-of-3 required for mint; single signature sufficient for burn. Compliance Officer excluded from this pool (see §175(a) below). |
| Compliance Multisig Signer | Signs on-chain freeze / unfreeze. 2-of-3 required, with Compliance Officer mandatory in the quorum. Separate from the Supply Multisig and the Seize Multisig. |
| Seize Multisig Signer | Signs on-chain seize. 2-of-3 required. |
| Internal Auditor | Read-only access to operational and compliance records. Cannot combine with any operational or compliance role. External/outsourced is acceptable. |
Regulatory Basis
Some regulations are principles-based (governance, SoD); others are prescriptive (mandatory roles, mandatory independence). Our role model, access controls, and the Compliance Multisig are design choices satisfying these requirements.
Governance (principles-based).
- PSD2 Art. 11(4) (via EMD2 Art. 3(1)) — "Member States shall require that payment institutions … have robust governance arrangements for their payment services business, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective procedures to identify, manage, monitor and report the risks to which they are or might be exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures; those arrangements, procedures and mechanisms shall be comprehensive and proportionate to the nature, scale and complexity of the payment services provided by the payment institution."
- LT EMI Law Art. 16 — governance and internal-control obligations for the Lithuanian EMI licence.
- EBA Guidelines on Internal Governance — applied to the EMI licence.
Segregation of duties (prescriptive).
- EBA GL on Internal Governance §149 — "Institutions should establish adequate segregation of duties – e.g. entrusting conflicting activities within the processing of transactions or when providing services to different persons, or entrusting supervisory and reporting responsibilities for conflicting activities to different persons."
- EBA GL §175(a) (compliance-function independence) — "their staff do not perform any operational tasks that fall within the scope of the activities the internal control functions are intended to monitor and control."
- DORA Art. 6(4) — "Financial entities … shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. Financial entities shall ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model."
AML/CFT roles (prescriptive).
- LT AML Act Art. 22(1) (2026-01-01 redaction) — "privalo paskirti valdybos narį, kuris organizuotų … pinigų plovimo ir (ar) teroristų finansavimo prevencijos priemonių įgyvendinimą, ir vadovaujančius darbuotojus, kurie bendradarbiautų su Finansinių nusikaltimų tyrimo tarnyba." (Obliges designation of a management-body member responsible for AML/CFT implementation, and senior liaison employees cooperating with FCIS.)
- AMLD5 Art. 46(4) — requires designation of a compliance officer responsible for AML/CFT.
Internal audit (prescriptive).
- LT EMI Law Art. 28(6) — mandates an internal audit function at the EMI.
- EBA GL §§213-230 — internal-audit function scope and independence.
Access Control
Supply Multisig. The Supply Multisig holds MINTER_ROLE and BURNER_ROLE on the token contract. Mint requires 2-of-3 Supply Signer approval — no single signer can execute alone. Burn requires a single Supply Signer signature, since burns only destroy tokens with no inflation risk. Compliance Officer is excluded from this pool per EBA GL §175(a) (compliance cannot perform operational tasks it monitors). Treasury Officer may be in the pool; when Treasury signs a mint, the co-signer must independently verify the fiat attestation (bank statement / safeguarding-account receipt) before signing — otherwise Treasury effectively self-approves through a thin multisig.
Compliance Multisig. Freeze and unfreeze require 2-of-3 Compliance Multisig Signer approval, with Compliance Officer mandatory in the quorum. Holds the freezers role on the token contract. Separate on-chain contract from the Supply Multisig and the Seize Multisig, with a distinct key set and signing policy.
Scope assumption. The Compliance Multisig acts against holders / addresses (block/freeze/unfreeze of an identified party under AML, sanctions, or Travel Rule grounds). Under this scope, EBA GL §175(a) (which prohibits compliance from "perform[ing] any operational tasks that fall within the scope of the activities the internal control functions are intended to monitor and control") is not breached — enforcement against a flagged holder is compliance-domain execution, not operational execution of activities compliance monitors.
§149 note on co-signer review. The co-signer must independently review the compliance case file. Co-signers are presumed competent to review a compliance case file, or are required by process to verify with someone who is.
Seize Multisig. Authority-compelled only — moves a specified amount from a frozen target address to a destination set by the order. EMI cannot self-initiate. Holds the seizers role on the token contract; the contract enforces a freeze precondition on every seize. Requires 2-of-3 Seize Multisig Signer approval — at least as strong as mint, since seize moves balances and (for ZK) effectively credits the destination from a TRC-revealed amount. For ZK seize, co-signers also review the decryption child record before signing.
Role-based permissions. The backoffice enforces role-based permissions at the application layer — specific actions require the appropriate role (Treasury Officer, Compliance Officer) to approve before the transaction is prepared for signing.
Required Governance Roles
Beyond the system roles above, the following roles are mandated by regulation. Some are governance actors without backoffice system access; others map onto system roles.
| Regulatory role | Basis | Maps to |
|---|---|---|
| Management body | EMD2 Art. 3(1); LT EMI Law Art. 16 | Governance actor. No system access. |
| Head of institution | LT EMI Law Art. 16 | Governance actor. No system access. |
| Head of Compliance | EBA GL §175; AMLD5 Art. 46(4) | = Compliance Officer (system role). |
| Board AML-designate | LT AML Act Art. 22(1) | May combine with Head of Compliance if appointed to the management body. |
| Senior FCIS liaison | LT AML Act Art. 22(1) | Hat of Compliance Officer. |
| Internal Audit Function | LT EMI Law Art. 28(6); EBA GL §§213-230 | = Internal Auditor (system role). External/outsourced is acceptable. |
Out of scope of this document: Risk Management Function, ICT Risk Oversight (DORA Art. 6(4)), Data Protection Officer, Whistleblowing Channel Owner (5AMLD Art. 61), Complaints-Handling Function (LT EMI Law Art. 29(1)), Outsourcing Policy Owner (LT EMI Law Art. 26 / MiCA Art. 73 / DORA Art. 28), Whitepaper Lifecycle Owner (MiCA Art. 51(11)(12)).
Minimum Staffing
Four-person minimum. Internal Auditor and governance roles are held outside this operational model (external/outsourced, or held by a member of the management body).
| Person | Roles |
|---|---|
| Person 1 | Customer Support + Treasury Officer + Supply Signer |
| Person 2 | Compliance Officer + Compliance Multisig Signer |
| Person 3 | System Admin + Supply Signer + Compliance Multisig Signer |
| Person 4 | Operations Officer (backup Treasury/CS) + Supply Signer + Compliance Multisig Signer |