What is
TGRAF?
TGRAF stands for the Technology and Information Risk Assessment Framework — VARA's technology-governance rulebook for licensed VASPs. TGRAF defines the technology architecture, cyber-security, business-continuity, data-governance, third-party-risk and operational-resilience expectations that every VARA-licensed firm must operate to. Annual independent technology audits are mandatory.
What does TGRAF cover?
TGRAF prescribes operational requirements across multiple technology domains:
- Technology architecture and design — secure, resilient, auditable systems.
- Cybersecurity controls — access management, encryption, intrusion detection, incident response.
- Business continuity and disaster recovery — documented plans, tested annually.
- Data governance — classification, retention, integrity, privacy.
- Third-party risk management — vendor due-diligence, ongoing monitoring, exit strategies.
- Operational resilience — capacity, performance, change-management, audit trail.
- Wallet and key management — segregation, multi-signature, hot/cold architecture.
What is the annual TGRAF audit?
VARA-licensed VASPs must engage an independent qualified auditor to conduct a comprehensive technology audit annually. The audit covers the full TGRAF framework, with findings reported to VARA. The audit is not a tick-box exercise — weaknesses identified must be remediated and tracked through to VARA supervisory dialogue.
What's the practical impact?
TGRAF compliance is materially more demanding than the technology-governance regime applicable to most non-VARA fintech firms. Common preparation work for prospective licensees includes: documenting all technology systems and dependencies; building incident-response and BCP frameworks; engaging cybersecurity certifications (ISO 27001 is common); establishing wallet-architecture documentation; and preparing the third-party-risk register.
How does TGRAF interact with other VARA rulebooks?
TGRAF is one of several VARA rulebooks (Compliance & Risk, Market Conduct, Custody Services, etc.). The rulebooks operate together — TGRAF specifies the technology layer that supports operational compliance with the activity-specific rulebooks. A custody licensee, for example, must satisfy the Custody Services Rulebook substantively and operate it on technology that satisfies TGRAF.
Who must comply with TGRAF?
Every VARA-licensed VASP, regardless of activity category. TGRAF is cross-cutting: exchange, broker-dealer, custody, advisory and management licensees all operate their technology under it, scaled to the nature and risk of the business.
Is a TGRAF audit required every year?
Yes. VARA-licensed firms must commission an independent technology audit annually covering the TGRAF domains, report findings to VARA, and remediate weaknesses under supervisory follow-up.
When should a VARA applicant start TGRAF preparation?
Before applying. The regulatory business plan must describe TGRAF-aligned architecture, and licence conditions typically require the framework to be operating at go-live — retrofitting technology governance after build-out is far more expensive than designing to it.
Need to act on this?
Senior counsel only. No associates. Direct engagement with the partner who will run your matter.
VARA Supervision Retainer →