Hong Kong Monetary Authority publishes DLT distributed ledger technology guidelines

On April 16, 2024, the Hong Kong Monetary Authority (HKMA) issued Guidelines on Distributed Ledger Technology (DLT), supporting banks to use DLT under controllable risks, and expressed the hope to promote wider acceptance and application of DLT technology in the industry by clarifying the HKMA's regulatory considerations.

The HKMA's regulatory principle is "risk-based and technology-neutral", and it focuses on whether banks have sufficient control measures to properly manage the additional and unique risks brought about by the application of DLT. Some risk factors often appear in different DLT projects, so the HKMA has included relevant considerations in the guidelines, including: establishing appropriate governance; the bank's board of directors and senior management bear the ultimate responsibility for the bank's use of DLT, and should formulate appropriate policies and risk frameworks, etc. to ensure that banks can properly manage all risks derived from the application of DLT.

Secondly, the design of DLT application projects should be appropriate. Banks may need to consider the following issues during the design process:

(i) the applicability of different types of DLT networks;

(ii) the use and design of smart contracts;

(iii) how to manage potential legal and third-party risks; and

(iv) whether the project can be securely interoperable with other programs.

In addition, the HKMA is concerned about the ongoing maintenance and monitoring of DLT projects. Banks should establish effective cybersecurity measures, properly manage private keys, comply with requirements for personal data and privacy protection, and develop appropriate contingency plans and testing arrangements.

The following is the original translation of the HKMA's Distributed Ledger Technology (DLT) Risk Management Guidelines.

Background

Since the Government issued the "Hong Kong Virtual Asset Development Policy Statement" in 2022, the Hong Kong Monetary Authority has noticed that authorized institutions (AIs) have shown strong interest in exploring how to apply the distributed ledger technology (DLT) behind the virtual asset ecosystem to traditional financial market operations. As these explorations accelerate, more and more authorized institutions have contacted the Hong Kong Monetary Authority to seek comments on their planned initiatives in accordance with the regulatory expectations set out in the Hong Kong Monetary Authority's circular of January 28, 2022. The Hong Kong Monetary Authority supports authorized institutions to adopt solutions based on distributed ledger technology (DLT), provided that they can appropriately manage the associated risks. In line with the “risk-based, technology-neutral” supervisory principle, the Hong Kong Monetary Authority, in reviewing the DLT-related proposals of authorized institutions, focuses on whether the authorized institutions have established adequate systems and controls to manage the additional risks that may arise from the adoption of DLT. Although the specific considerations of the Hong Kong Monetary Authority will vary depending on the specific solution being reviewed, some common risk areas are generally associated with the adoption of distributed ledger technology (DLT). In order to promote the adoption of DLT solutions by authorized institutions, the Hong Kong Monetary Authority sets out in this memorandum: (i) the key issues that will generally be considered when assessing the DLT-related proposals of authorized institutions; and (ii) the capabilities and conditions that authorized institutions should generally demonstrate and/or meet under each area.

The above considerations are non-binding, non-exhaustive and will continue to evolve as the market and relevant technologies develop. Therefore, while authorized institutions may refer to these points when designing and developing their DLT-related solutions, the Hong Kong Monetary Authority will continue to discuss with authorized institutions bilaterally on specific issues to ensure that the above factors are applicable to specific cases.

Key Factors

Governance

DLT focuses on decentralization. The adoption of DLT involves not only novel applications of technology but also non-traditional governance concepts. Therefore, the board of directors and senior management bear full responsibility for the adoption of DLT by the authorized institution and the adequate management of related risks.

In implementing DLT solutions, authorized institutions may encounter a range of new DLT-specific risks, including those related to governance. As such, the HKMA expects the boards and senior management of authorized institutions to establish adequate systems and controls to mitigate these risks.

As part of this, authorized institutions should review and update their relevant policies and frameworks, as necessary, to reflect DLT-specific factors. These policies and frameworks include technology risk management (e.g. change management, access control, cybersecurity), business continuity planning (BCP) and outsourcing.

Regarding internal capabilities, authorized institutions must ensure that they have sufficient staff with DLT expertise to support the implementation process and that their management has sufficient knowledge to review and evaluate the strategy and approach adopted by the authorized institution towards DLT.

Given the rapid pace of technological advancement, authorized institutions should be mindful of the need to provide regular training to their staff and reconfigure their work processes to keep pace with the latest developments. If the DLT solution involves customer-facing elements, authorized institutions should review the need for DLT-specific consumer education efforts and/or updating of existing dispute resolution procedures, as well as compensation and indemnity mechanisms.

Application Design and Development

Choosing the right DLT network for a specific application -- Authorized institutions need to choose the right DLT network for a specific application, given that the structure and governance of a DLT network (e.g., permissionless, private permissioned, or public permissioned) have a direct impact on the security, stability, scalability, and resilience of the network.

The HKMA expects authorized institutions to fully understand the different types of DLT networks available and make appropriate choices based on the nature and risks of the application involved, as well as their own legal and regulatory responsibilities. If an authorized institution decides to choose a design option that may involve higher risks, the HKMA expects that such option has been subject to critical assessment and ensures that appropriate risk management controls are in place. For example, permissionless networks may not be the first choice for applications involving the transmission of sensitive data due to open membership and generally being more vulnerable to attacks by malicious actors.

However, these networks need not be excluded by default from such applications if the authority can find appropriate measures to manage the associated risks (e.g. cryptographic solutions such as zero-knowledge proofs or a combination of on-chain and off-chain solutions).

Designing “fit-for-purpose” smart contracts -- While smart contracts can offer efficiency benefits through automation, they may not be suitable for all business scenarios or may only be deployed with tailored controls.

For example, in situations that typically involve some degree of human judgment (e.g. complex loan assessments), unchecked automation may be unwelcome and smart contracts may only be appropriate where options for human intervention can be incorporated.

If the authority deems the use of smart contracts appropriate, the HKMA expects them to effectively manage the vulnerabilities commonly associated with smart contracts. These include operational risks (e.g. non-malicious coding errors and cyber attacks), third-party risks (e.g. the reliability of “oracles” used to obtain external data) and legal risks (e.g. whether the legal basis for the smart contract is established).

To this end, it is recommended that authorized institutions establish a rigorous governance framework for the introduction and updating of smart contracts. An effective framework will assess the suitability of adopting smart contracts in a particular case, conduct due diligence reviews of smart contracts to be deployed from an operational, technical and legal perspective, ensure that necessary risk management controls are incorporated into the final design of smart contracts, and cover procedures/considerations for upgrading smart contracts. If necessary, authorized institutions should consider engaging professional advice, including appropriate third parties, to audit smart contracts before they are deployed.

Understanding and mitigating potential legal risks -- The legal basis for applying DLT to traditional financial market activities is still evolving. For example, with respect to the issuance and trading of tokenized products, in traditional financial systems, "settlement finality" is a clear and well-defined point in time, underpinned by a strong legal basis, while under DLT arrangements, the point in time when settlement finality is achieved may be less clear due to the use of consensus-based verification mechanisms. Depending on how traditional products are "tokenized", there may also be changes to their legal status and subsequent regulatory treatment. Authorised institutions should be aware of these possible legal grey areas, seek professional advice where necessary, and take steps in the design process to mitigate the attendant legal risks.

Effective management of risks associated with third parties -- The HKMA expects that, in the process of assessing whether to adopt a DLT solution, an authorised institution has reviewed and determined that it is able to manage the risks that may arise from third parties participating in a DLT arrangement. In particular, given that DLT networks operate on a consensus mechanism and therefore rely on node operators to verify and confirm changes to the ledger, authorised institutions should fully consider whether node operators are sufficiently trustworthy, reliable and diverse, depending on the application at hand.

If inadequate is found, authorised institutions should take adequate risk compensation measures. It should also consider the impact that the design of a DLT network may have on its ability to adequately manage risks associated with third parties. For example, permissionless networks are designed to have open membership and allow any participant (including those using pseudonyms) to become a validator. In these cases, the authorised institutions have less control over the third parties involved and therefore it may not be appropriate for the authorised institutions to adopt this type of DLT solution for highly critical or sensitive functions unless they are able to employ adequate risk management compensating measures.

Secure interoperability and connectivity -- The HKMA expects authorised institutions to design their DLT-based systems to be compatible with and able to “talk” to both traditional and other DLT-based solutions wherever possible. This may help to limit market fragmentation, support operational efficiencies, and ensure the long-term relevance of DLT solutions.

For example, the HKMA has been encouraging banks to explore the potential of deploying DLT to accept deposits (i.e. “tokenised” deposits), as such deposit-taking activity is permitted under the Banking Ordinance. In doing so, it is noted that the banks’ view is thattokenised deposits that can only be used within the authorised institution’s own proprietary network may offer relatively little additional value to customers compared to deposits that can be used for interbank transfers and settlement of various tokenised assets stored on different DLT networks. With this in mind, it is recommended that authorized institutions consider adopting more widely accepted technical standards to support compatibility. As with any interbank initiative, authorized institutions should ensure the security of these connections, including protecting them from cyber attacks, potential security vulnerabilities and data leakage risks.

Continuous maintenance and monitoring

Establish the same level of cybersecurity mechanisms as traditional technology applications -- DLT-based applications should enjoy a level of cybersecurity commensurate with traditional underlying technologies. The Hong Kong Monetary Authority expects authorized institutions to adopt effective mechanisms to address cyber risks unique to DLT (such as 51% attacks) as well as other common cybersecurity threats (such as distributed denial of service, or DDoS attacks). Authorized institutions should also be vigilant to emerging modus operandi of threat actors and new technological developments that may affect the security of DLT applications (such as quantum computing), and regularly update their response capabilities.

Secure management of private keys -- The responsibility of authorized institutions to access and protect private keys depends on the purpose of their DLT applications and whether they provide certain services. Given the varying possibilities, the HKMA will generally expect an authorized institution to demonstrate that it has in place strong policies and procedures to provide a level of security for any private keys it holds or manages that is appropriate to the nature and risk of the application, the underlying assets to which the private keys relate and the responsibilities undertaken by the authorized institution.

For example, an authorized institution that provides custody services for digital assets of its clients will generally be expected to adopt more stringent security procedures to ensure that the relevant private keys (and, where applicable, mnemonics) are always securely generated, stored and backed up. This may involve a variety of measures, including implementing controls to strictly limit access to the keys, using cold storage and developing off-site backup and other contingency arrangements.

Ensuring that data privacy and protection requirements are met - Existing data privacy and protection requirements continue to apply regardless of whether data is stored on a centralized ledger or a DLT-based ledger. Therefore, an authorized institution should demonstrate that it has established adequate systems and controls to ensure that it continues to meet these requirements.

Where necessary, mitigation measures should be put in place to manage complexities that may arise due to the unique nature of DLT arrangements. These measures may include, but are not limited to, difficulties in complying with requirements related to data retention (e.g. dealing with the immutability of data on DLT networks), ensuring confidentiality of personal data (e.g. dealing with the transparent nature of certain DLT networks), and data localization (e.g. how data retention is accomplished where DLT networks are spread across multiple jurisdictions).

Customized Contingency Plans and Testing Arrangements -- If an authorized institution adopts DLT for critical functions, the HKMA expects it to include DLT-specific testing scenarios (e.g. common DLT network attacks, loss/theft of private keys, and the possibility of “forking”) and contingency arrangements in its Business Continuity Plan (BCP).

In particular, authorized institutions are expected to understand and consider the unique operating dynamics of DLT networks, especially those factors that may affect system and capacity management (such as the possibility of validation congestion and the need to pay higher fees for expedited transactions), and should pay attention to them when planning and testing. When considering more extreme scenarios, authorized institutions should also consider the need to provide backup options for situations where the DLT solution may be temporarily or permanently unavailable.