An overview of the Hong Kong Monetary Authority’s guidelines for digital asset custody activities

Compiled by: Blog, Bailu Living Room

The security of digital assets has always been one of the most discussed topics in the industry. With more and more traditional institutions entering the market, , how to protect users’ digital assets in the hacker-ridden Web3 world has become a problem that must be solved as the industry continues to expand.

In 2024, the U.S. SEC approved Bitcoin spot ETFs, and Coinbase became the Bitcoin custodian of eight of the ETF issuers, which significantly supported their income development. Digital asset custody is no longer just a technical issue, it has also become a business that powerful institutions must compete for. If Hong Kong wants to quickly catch up with the United States, it must also speed up and improve the supervision of digital asset custody.

On February 20, 2024, the Hong Kong Monetary Authority (HKMA) issued guidelines on digital asset custody activities, setting out relevant The standards, which include governance and risk management, customer digital asset segregation, customer digital asset protection, delegation and outsourcing, provide guidance for institutions and their subsidiaries that carry out digital asset custody activities in Hong Kong.

The following is a compilation of the original content of the guidelines.

Expected Standard Guidelines for Digital Asset Custody Service Authorization Institutions

This guideline applies to Authorized Institutions (AIs) and its locally registered authorized institution subsidiaries to hold digital assets on behalf of clients (i.e. assets that rely primarily on cryptography and distributed ledgers or similar technologies), excluding special purpose digital tokens. By way of illustration, covered assets include virtual assets (VA), tokenized securities, and other tokenized assets. This guidance does not apply to the custody of AIs or their group companies’ own assets, which are not held on behalf of clients.

(A) Governance and Risk Management

1. Before launching digital asset custody services, authorized institutions should Conduct a comprehensive risk assessment to identify and understand relevant risks. Authorized bodies should establish appropriate policies, procedures and controls to manage and mitigate identified risks, taking into account applicable legal and regulatory requirements. The institution's board of directors and senior management should effectively oversee the risk management process to ensure that risks associated with custody activities are identified, assessed, managed and mitigated before engaging in digital asset custody activities and during the course of these activities.

2. Authorized institutions should allocate sufficient resources to their custody activities, including the necessary manpower and expertise to ensure appropriate governance, operations and effective risk management. Senior management and employees involved in the institution’s digital asset custodial activities and related control functions should have the knowledge, skills, and expertise necessary to perform their responsibilities.

3. Given the rapid development of the digital asset field, authorized institutions should ensure that adequate training is provided to senior management and employees engaged in custody activities to maintain their continued Operational capacity.

4. Authorizing agencies should establish appropriate accountability arrangements for custody activities, including clearly written roles and responsibilities and reporting lines. Adequate policies and procedures should also be in place to identify, manage and mitigate potential and/or actual conflicts of interest that may arise, such as those that may arise between different activities carried out by the institution or its affiliates.

5. Authorized institutions should establish and maintain effective backup and disaster recovery arrangements to ensure business continuity of their custody activities.

(B) Isolation of customer digital assets

6. Authorized institutions should store customer digital assets in a separate Assets are segregated in dedicated customer accounts to ensure that customer digital assets are protected from claims by institutional creditors in the event of institution bankruptcy or dissolution.

7. The authorized institution shall not transfer any rights, interests, ownership, legal and/or actual ownership of the customer’s digital assets, nor shall it otherwise lend, mortgage, re- Collateralize or impose any encumbrance on Customer’s Digital Assets except to: (i) settle transactions, and/or fees and charges owed by Customer to the Institution; (ii) obtain Customer’s prior express written consent; or (iii) as required by law. Institutions should take adequate and effective measures to prevent customers’ digital assets from being used for purposes other than their own accounts or those agreed with customers.

(C) Protection of Customer Digital Assets

8. An authorized institution should establish adequate systems and controls to ensure Customer digital assets are promptly and properly accounted for and fully protected. In particular, the institution should develop effective controls to minimize the risk of loss of a customer’s digital assets due to theft, fraud, negligence, or other misappropriation, as well as delayed or inaccessible access to the customer’s digital assets.

9. In developing systems and controls to protect customers’ digital assets, authorized institutions can adopt a risk-based approach that considers the nature, characteristics and risk. Risks may depend, for example, on the type of distributed ledger technology (DLT) network used (e.g., private permissioned, public permissioned, and public permissionless), and the mitigation measures taken. For example, customer digital assets held on public permissionless DLT networks may face higher cybersecurity risks, and the recovery of lost assets may be more difficult in the event of theft, hacking, or other cyberattacks, compared with , there may be measures to control access to DLT networks on both publicly licensed and privately licensed DLT networks.

10. Systems and controls used to protect customers’ digital assets include, but are not limited to, written policies and procedures for:

- Authorizing and authenticating access To conduct deposits, withdrawals and transfers of customer digital assets, including access to devices storing seeds and private keys; and

-Manage and protect the seeds and private keys of customer digital assets, including key generation, distribution , storage, use, destruction and backup.

11. In particular, authorized institutions are expected to adopt relevant industry best practices and follow applicable international security standards consistent with the nature, characteristics and risks of the assets held. While the procedures and controls listed below are not intended to be prescriptive or one-size-fits-all, they are generally required of authorized agencies holding customer VAs. For other digital assets, authorized authorities may adopt a risk-based approach to implement the following procedures and controls consistent with the risks faced, but if these digital assets are traded as permissionless tokens on a public permissionless DLT network Authorization authorities should also be more cautious and conduct a careful evaluation of the implementation:

- Generate and store seeds and private keys in a secure and tamper-proof environment and equipment (such as hardware security modules HSM) , including their backups. Where feasible, seeds and private keys should be generated offline, with appropriate lifecycle limits set;

- Securely generate, store and back up seeds and private keys locally in Hong Kong;

- Securely generate, store and back up seeds and private keys locally in Hong Kong;

- strong>

- Restrict access to encrypted devices or applications to authorized personnel who are appropriately screened and trained only as needed; maintain up-to-date documentation of access methods and assigned Access permissions; authenticate access to seeds and private keys using strong authentication methods, such as multi-factor authentication; maintain an audit trail of access to encrypted devices or applications;

- By adopting Key sharding or similar technologies guard against any "single point of failure", such as splitting and distributing a private key to multiple people with authorized authority for distributed storage to ensure that no single party holds the entire key. Typically, a certain number of key shard holders are required to collectively sign transactions to ensure that no single person has full access while preventing operational disruptions if a single shard is lost, unavailable, or stolen. To prevent "single points of failure", also consider using multiple wallets instead of a single wallet to hold customer digital assets;

- Establish measures to prevent and mitigate those with access to mnemonic phrases and Risk of collusion between authorized persons with private key authority;

- Adequate off-site backup and contingency arrangements should be made for mnemonic phrases and private keys, and these arrangements should be subject to Constrained by the same security controls as the original mnemonic phrase and private key. Backed-up mnemonic phrases and private keys should be stored offline in a secure physical location that is independent of the primary location where the original mnemonic phrase and private keys are stored and that will not be affected by any incident;

- Unless proven otherwise, most customer digital assets should be kept in cold storage not connected to the Internet;

- Only through wallet addresses belonging to the customer (e.g., passing ownership tests such as message signatures or Micropayment testing) and whitelisted way to allow deposits and withdrawals of customer digital assets;

- Take steps to ensure that any smart contracts used in the escrow process are largely free from contractual vulnerabilities or the impact of security deficiencies; and

- Put in place appropriate insurance or indemnity arrangements to adequately cover any loss or damage that may occur as a result of a hacking incident, theft or fraud (whether or not due to the acts, errors, omissions or gross negligence of an authorized authority) The resulting loss of customer digital assets.

12. When an authorized institution provides a user interface or portal for customers to manage their digital assets held by the authorized institution, effective customer authentication and notification controls should be established , in compliance with the relevant guidelines formulated by the Hong Kong Monetary Authority (HKMA) from time to time.

13. Authorized agencies should pay close attention to emerging security threats, vulnerabilities, attack and fraud risks, and trends and developments in technology solutions; regularly assess the adequacy and robustness of security risk controls nature, taking into account emerging threats and technological advances; and taking steps to adopt technology for the safekeeping of customers’ digital assets in accordance with relevant industry best practices and applicable international standards. Wallet storage technology used to secure customers’ digital assets should be tested to ensure its reliability before deployment.

(D) Delegation and Outsourcing

14. As a general principle, as far as virtual assets are concerned, An authorized institution can only entrust its custody function to (i) another authorized institution (or a subsidiary of a locally registered authorized institution); or (ii) a virtual asset trading platform licensed by the China Securities Regulatory Commission. For other digital assets in the form of permissionless tokens, if they are located on a public-permissionless distributed ledger network, authorities should be particularly cautious and conduct an in-depth assessment of whether it is appropriate to delegate or outsource their custodial functions.

15. When an authorized institution reaches an entrustment or outsourcing arrangement with a principal or service provider in providing digital asset custody services, the authorized institution shall select and appoint the principal or service provider. Service providers should conduct appropriate due diligence before doing so. The Authorized Authority shall assess and ensure satisfaction, including but not limited to, the principal's or service provider's financial health, reputation, management skills, technical and operational capabilities and ability and capability to comply with this Annex and other applicable legal and regulatory requirements, and Keep up with technological developments in the digital asset space. Due diligence assessments and their results should be kept in appropriate records. Authorizing bodies should establish effective controls to continuously monitor the performance of the principal or service provider.

16. When working with principals or service providers to provide digital asset custody services, authorized institutions should have the technical expertise to evaluate the effectiveness of deployed solutions in protecting customer digital The effectiveness of the asset and whether it introduces any single points of failure. Authorized institutions should also fully understand the terms and conditions under which the client's digital assets are held by the client or service provider, and assess whether it will have a significant impact on the client's legal rights in the event of the bankruptcy of the client or service provider. Authorized institutions are responsible for ensuring that the entrusting party or service provider properly segregates customer digital assets in accordance with paragraphs 6 and 7 of this Annex.

17. The emergency and disaster recovery arrangements of the authorized institution should cover the scenario of disruption to entrusted or outsourced digital asset custody services. Authorized bodies should also assess the resiliency capabilities of the principal or service provider, including its contingency plans and procedures, to ensure the availability of managed services.

18.  Authorized institutions are reminded that when entrusting or outsourcing arrangements for digital asset custody services, they should also maintain relevant systems and systems corresponding to the entrustment or outsourcing arrangements for traditional financial activities. control.

19. Ultimate responsibility and accountability for any delegated or outsourced activity rests with the authorizing authority.

(E) Risk Disclosure

20.Authorized institutions should provide information to their clients in a clear and understandable manner Full and fair disclosure of the custody arrangements, including:

- the respective rights and obligations of the authorized institution and its clients, including the clients’ ownership rights in their assets if the authorized institution enters insolvency or liquidation;

- Custody arrangements, including how the customer’s digital assets are stored and isolated, procedures and times for accessing the customer’s digital assets, and any applicable fees and costs;

-  ;Compensation arrangements to cover possible losses of customer digital assets due to security incidents or misappropriation;

- The situation where customer digital assets are mixed with other customer assets, and related risks;

-  p>

- The circumstances in which the authorized institution will obtain legal and/or beneficial ownership of the customer's digital assets, or otherwise transfer, lend, mortgage, remortgage or create any security over the customer's digital assets and arrangements, and the risks involved;

- How customer digital assets are handled in events such as voting, hard forks and airdrops, and their corresponding rights and interests;

-  Authorized institutions should make full and fair disclosures to their clients about their custody arrangements, including the existence and nature of potential and/or actual conflicts of interest in relation to their custody activities.

(F) Record keeping and reconciliation of customer digital assets

21. Authorized institutions should provide Maintain appropriate books and records with customers to track and record ownership of customer digital assets, including the amount and type of assets owed to customers, and the movement of assets between customer accounts. Reconciliations of customer digital assets should be performed regularly and frequently on a customer-by-customer basis, taking into account relevant off-chain and on-chain records. Any discrepancies should be promptly resolved and escalated to senior management as appropriate.

22. Authorized institutions should establish systems and controls to safeguard and protect all records related to custody activities and should promptly provide them to the Hong Kong Monetary Authority upon request these records.

(G) Anti-money laundering and combating the financing of terrorist activities

23. Authorized agencies should ensure that they Financing (AML/CFT) policies, procedures and controls effectively manage and mitigate any money laundering and terrorist financing risks associated with digital asset custody activities. Authorized institutions should comply with the "Guidelines on Anti-Money Laundering and Combating the Financing of Terrorist Activities (Applicable to Authorized Institutions)" and the Hong Kong Monetary Authority's AML/CFT guidance document on digital asset custody activities.

(H) Requirement for Ongoing Monitoring

24. Authorizing agencies should periodically review their policies and procedures , and conduct independent audits of compliance with its systems and controls and applicable requirements regarding the custody of customers’ digital assets.