The Hong Kong Securities and Futures Commission (SFC), the special administrative regions top finance sector regulator, issued a circular last Friday outlining required controls for licensed custodians of digital assets, to be implemented immediately.
The update sets the minimum requirements that virtual asset trading platforms (VATPs) must meet and provides examples of good practices to help comply with the rules. Requirements include implementing mechanisms for detecting unauthorized access or intrusions to critical wallet infrastructure, allowing withdrawals only to whitelisted addresses, and maintaining effective 24/7 monitoring of systems, networks, wallets, and infrastructure.
In order for Hong Kong to foster a competitive, sustainable and trusted digital asset ecosystem, client asset protection must always remain a top priority for all licensed VATPs, said Dr. Eric Yip, the SFCs Executive Director of Intermediaries. He added that firms can leverage the SFCs practical guide to step up their custody practices, especially amid heightened risks globally.
The regulator cited multiple cases of custody vulnerabilities that have arisen overseas as the reason for its updated and strengthened requirements, along with the findings from its own targeted review earlier this year of virtual asset service providers (VASPs) resilience against cybersecurity threats, which revealed inadequacies in some operators controls.
Multiple cybersecurity incidents at overseas virtual asset platforms resulting in significant client asset losses have also highlighted persistent risks to custody globally, said the SFC. Key weaknesses in wallet infrastructures and controls include compromised third-party wallet solutions, insufficient transaction verification processes, and inadequate access controls over approval devices.
One of the notable changes to the custody standards is a ban on smart contracts in cold wallets. The circular stated that cold wallet implementations should not include smart contracts on public blockchains to minimize potential online attack vectors associated with on-chain smart contracts.
The new SFC standards also require that VASPs implement strong controls preventing unauthorized transactions from cold wallets.
Whitelist controls should be used to prevent asset transfers to unapproved wallet addresses, said the circular. Any modifications or additions to the cold wallet whitelist should be subject to stringent controls and oversight. Each transaction should undergo systematic verification to ensure that only authorized transactions proceed and no unapproved or unexpected parameters exist.
Another measure requires trading platforms to implement real-time reconciliation of on-chain client assets with the ledger balance. Any unexpected transactions that cause discrepancies should also be promptly flagged.
The SFC made clear that the requirements outlined in the circular are to take immediate effect, and that operators should assess their virtual assets custody framework, procedures, and controls to ensure compliance.Hong Kong crypto hub
This year, Hong Kong has further ramped up efforts to establish itself as a digital asset hub.
In January, the Hong Kong Monetary Authority (HKMA), the central bank of Hong Kong, launched a new initiative to support local banks as they launch blockchain products. It was described as a new supervisory arrangement allowing local banks to maximize the potential benefits of DLT adoption by effectively managing the associated risks.
This was followed, in May, by Hong Kong legislators passing the Stablecoin Ordinance, bringing a comprehensive licensing regime for stablecoins, with any issuing entity in Hong Kong (or issuing Hong Kong dollar-referenced stablecoins anywhere in the world) henceforth needing to obtain a license from the central bank.
A month later the SFC announced plans to permit digital asset derivatives for professional investors, as part of the broader strategy to expand product offerings and reinforce the territorys growing status as a fintech hub.
Most recently, and in the clearest sign yet of Hong Kongs crypto-hub ambitions, on June 26, the territorys government released its Policy Statement 2.0 on the Development of Digital Assets in Hong Kong. Amongst other measures, it introduced the LEAP framework that doubles down on stablecoin and asset tokenization policies and unifies its regulatory framework for all VASPs.
Hong Kongs efforts to embrace the digital asset space and the booming investment therein have naturally led to some increased caution from regulators. However, the SFC was keen to point out that its latest circular is aimed at contributing to a solid foundation for the industry rather than imposing onerous obligations on the traditionally regulation-shy sector.
Watch: Breaking down solutions to blockchain regulation hurdles
Cybersecurity Hong Kong Regulation Securities and Futures Commission Trading
