Guidelines for the HKMA’s digital asset custody activities Source: https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular /2024/20240220e4.pdf
In Hong Kong, with the launch of the Virtual Asset Service Provider (VASP) license system, exchange services are open to retail investors for the first time, marking a major progress in the field of virtual assets in Hong Kong. This new system not only attracted many platforms and institutions to apply, but also introduced more stringent compliance requirements to ensure that investors’ assets are properly protected. In particular, the Hong Kong Securities and Futures Commission (SFC) requires exchanges to hold customers’ money and virtual assets in trust through wholly-owned subsidiaries, which means that exchanges need to hold both a VASP license and a TCSP ( Trust or Company Service Providers) trust license. The TCSP license plays a key role in this system, providing new business scenarios for the independent custody of virtual assets and ensuring the security and independence of assets.
The U.S. Securities and Exchange Commission (SEC) recently approved a Bitcoin spot ETF, of which Coinbase became one of the eight custodians, which not only boosted its revenue The growth also marks that digital asset custody has become a key area of competition for powerful institutions. On February 20, 2024, the Hong Kong Monetary Authority (HKMA) issued guidelines on digital asset custody activities, providing clear governance and risk management, customer assets, and customer assets for institutions applying for a virtual asset custody service provider license (TCSP). Standards such as isolation and protection, entrustment and outsourcing.
In addition, as far as the independent virtual asset custody business is concerned, the Court of First Instance of the Hong Kong High Court has already ruled in Re Gatecoin Ltd [2023 ] HKCFI 914 confirmed that virtual assets are "property" and "can be subject to trust arrangements. Therefore, if the relevant virtual asset custody business involves an "express trust or similar legal arrangement" for virtual assets, the custodian needs to obtain TCSP license issued by the Hong Kong Companies Registry, such as wallets and custodians.
1. The latest application policy for Hong Kong Virtual Trust Service Provider (TCSP)< /strong>
(A)Conditions for applying for a Hong Kong TCSP license
According to the "Virtual Asset Service Provider Licensing System", applying for a Hong Kong TCSP license must meet the following conditions:
It is a company incorporated in Hong Kong
Have good financial status and credibility
Have appropriate personnel and systems in place to manage virtual asset businesses (please refer to the latest guidance on digital asset custody activities of the Hong Kong Monetary Authority for details)
Develop and implement effective policies and procedures to combat money laundering and terrorist financing
(B)Application for Hong Kong The process for a TCSP license is as follows:
Prepare application materials
< p>Submit application to SFC
SFC reviews the application
SFC decides whether to issue the license
Materials required to apply for a Hong Kong TCSP license
< /li>
(C)The materials required to apply for a Hong Kong TCSP license include:< /strong>
Application form
li>Company registration documents
Proof of financial status
Personnel list and resume
Policies and Procedures for Countering Money Laundering and Counter-Terrorist Financing
-
Business plan
Technical architecture
Risk management measures (please refer to the latest guidance on digital asset custody activities of the Hong Kong Monetary Authority for details)
< p>Other materials required by SFC
- < p style="text-align: left;">SFC review of application
< strong>(D)SFC will review the application, including:
Review whether the application materials are complete (please refer to the latest guidance on digital asset custody activities of the Hong Kong Monetary Authority)
-
Review whether the applicant meets the conditions
Conduct on-site inspections of applicants
(E) Review cycle
(F) strong>The latest policy puts forward the following new requirements for applying for a Hong Kong TCSP license:
The applicant must have a registered capital of at least HK$5 million
The applicant must hire at least two Licensed Responsible Officer (RO) responsible for overseeing the compliance of virtual asset businesses
Applicant Effective risk management measures need to be developed and implemented, including KYC/AML policies, transaction monitoring, information security, etc.
2. Figures released by the Hong Kong Monetary Authority on February 20, 2024 Summary of guidance on asset custody activities (see guidance link for details)
(A) Governance and risk management
Institutions should have adequate resources, including expertise and people, to support effective governance and risk management. In addition, given the rapid changes in the digital asset industry, authorized institutions should also provide ongoing training to employees involved in custody services to ensure that they have the necessary knowledge and skills.
To ensure customer numbers To ensure the security and independence of assets, authorized institutions must strictly isolate these assets from their own assets and store them in designated customer accounts. This measure is designed to protect customer assets and prevent them from being used to repay the institution's debts when the institution faces the risk of bankruptcy or dissolution.
(C) Protection of Customer Digital Assets
Authorized institutions are responsible for ensuring that customers' digital assets are fully protected and properly managed, and by establishing strong systems and controls to prevent asset loss, theft, and fraud or any form of unauthorized access. This includes adopting a risk-based approach to assess and respond to various security threats, especially when using different types of distributed ledger technology (DLT), given that public permissionless networks may pose higher security risks.
Ensure customers’ access to digital assets, Authorization and verification during the transfer and management process, especially the secure management of seeds and private keys, covering the entire process of their generation, distribution, storage, use and destruction.
In the field of virtual asset custody, authorization Agencies are faced with the important decision of selecting the right partner to delegate or outsource hosting functions. Basic principles require that these institutions can only entrust custody tasks to appropriately authorized institutions or virtual asset trading platforms holding corresponding licenses. Especially for permissionless tokens that operate on public permissionless distributed ledger networks, the decision to delegate or outsource needs to be carefully evaluated.
Ultimately, although delegation or outsourcing can bring improvements in efficiency and professionalism, authorized institutions still need to bear the ultimate responsibility and accountability to ensure the security and compliance management of client assets. , while maintaining the same level of systems and control standards as traditional financial activities.
(E) Risk Disclosure p>
Authorities should fully and fairly disclose custody arrangements to their clients in a clear and understandable manner, including:
The respective rights and obligations of the authorized institution and its clients, including the client’s assets in the event that the authorized institution enters bankruptcy or liquidation ownership rights;
custodial arrangements, including the storage and isolation methods, access and access of customer digital assets procedures and timing for client digital assets, and any applicable fees and costs;
Indemnification arrangements, To cover possible losses of customer digital assets due to security incidents or misappropriation;
Customer numbers Mixing of assets with other client assets, and related risks;
The authorized institution will The circumstances and arrangements in which I obtain the legal and/or beneficial ownership of the customer’s digital assets, or otherwise transfer, lend, mortgage, remortgage or set any guarantee on the customer’s digital assets, as well as the risks involved;
< p>How customer digital assets are handled in events such as voting, hard forks and airdrops, and their corresponding rights and interests ;
Authorized institutions should fully and fairly disclose their custody arrangements to their clients, including custody with them The existence and nature of potential and/or actual conflicts of interest related to the activity.
(F) Record keeping and reconciliation of customer digital assets
The authorized agency shall maintain appropriate books and records for each client to track and Record the ownership of the customer’s digital assets, including the amount and type of assets owed to the customer, and the flow of assets between customer accounts. Reconciliations of customer digital assets should be performed regularly and frequently on a customer-by-customer basis, taking into account relevant off-chain and on-chain records. Any discrepancies should be promptly resolved and escalated to senior management as appropriate.
Authorized institutions should establish systems and controls to safeguard and protect matters related to custody activities and shall promptly provide such records upon request by the Hong Kong Monetary Authority.
(G) Anti-money laundering and combating the financing of terrorist activities< /p>
Authorized institutions should ensure that their anti-money laundering and countering the financing of terrorism (AML/CFT) policies, procedures and controls effectively manage and mitigate any issues related to digital asset custody activities. Money laundering and terrorist financing risks. Authorized institutions should comply with the Anti-Money Laundering and Countering the Financing of Terrorism Guidelines (Applicable to Authorized Institutions) and the Hong Kong Monetary Authority’s AML/CFT Guidance Document on Digital Asset Custody Activities.
(H) Requirements for continuous monitoring
Authorization Institutions should regularly review their policies and procedures and conduct independent audits of their systems and controls and compliance with applicable requirements in the custody of clients’ digital assets.
3. Difficulties and challenges
Although the HKMA has Guidelines for virtual asset custody activities have been released, and the standards are clearer than before. There is no need to speculate too much on the meaning of the Securities Regulatory Commission. However, it is also a challenge to set up a virtual asset custody service company in Hong Kong that complies with the TCSP license requirements. For exchanges and wallet institutions that are already in operation, this process not only requires the thorough construction of an IT infrastructure, but also involves an in-depth understanding of regulatory policies, compliance assurance, integration of anti-money laundering measures, establishment of security control systems, and Development of blockchain wallet technology. These tasks require extensive legal consultation, comparison of industry practices, and verification of operational feasibility.
In addition,Hong Kong’s new policy imposes higher requirements on the security of virtual assets, including the difficulty of obtaining full insurance coverage (the cost Very high and prohibitive for many institutions), the time cost of establishing trust in enterprise-level escrow technology and third-party escrow credit, and the complexity of regulatory requirements for implementing segregated account escrow. These challenges illustrate the complexity of setting up a TCSP managed service provider in Hong Kong, but with careful planning and technological innovation, they can be overcome. The key is to develop a comprehensive governance strategy based on a deep understanding of the business, covering staff divisions, operating rules and risk control measures to ensure that regulatory requirements can be smoothly met and projects implemented.