The APAC FINSTAB KYA framework

KYA extends ACAS from general agent compliance into a specific scoring model for autonomous economic activity: identity, authority, wallets, venues, evidence, security, and jurisdictional exposure.

1. Operator identity

Legal entity, beneficial owner, developer, deployer, service provider, and escalation contact.

2. Agent mandate

Allowed tasks, prohibited actions, spending limits, trading limits, user consent, and revocation path.

3. Wallet and custody

Key control, signing policy, withdrawal controls, smart-account delegation, and recovery procedures.

4. Tool and venue access

Exchange APIs, MCP tools, bridges, lending protocols, order routing, and third-party execution risk.

5. Audit trail

Prompt history, policy checks, signed intents, transaction logs, human approvals, and evidence retention.

6. Security and abuse

Prompt injection controls, data leakage, adversarial tasking, fraud screening, and sanctions exposure.

7. Jurisdiction fit

Licensing perimeter across APAC markets, promotion rules, outsourcing rules, and cross-border servicing.

Score band	KYA status	Meaning	Typical next action
85-100	Verified	Agent has documented operator identity, bounded authority, auditable wallet/tool use, and jurisdiction controls.	Eligible for public registry profile and periodic monitoring.
65-84	Review-ready	Core controls exist but evidence is incomplete or venue/jurisdiction coverage is narrow.	Request missing logs, policies, wallet permissions, or legal memo.
40-64	High-friction	Agent may be useful, but accountability, wallet control, or auditability is not yet exchange-grade.	Limit permissions and avoid production financial authority.
0-39	Red flag	Operator, mandate, or transaction evidence is missing, contradictory, or unsafe.	Block financial actions until ownership and controls are proven.

Implementation note: KYA does not replace KYC, KYB, KYT, sanctions screening, or licensing analysis. It connects those controls to the non-human actor that is executing the workflow.