2022年12月7日,香港立法会通过了《2022年打击洗钱和恐怖分子资金筹集(修订)条例草案》,为虚拟资产服务提供商(VASP)设立了发牌制度。新法律要求VASPs向香港证监会(SFC)申请牌照,同时遵守反洗钱和反恐融资的法定义务。VASP需要在2023年6月1日前符合新许可制度的要求。
In simple terms, virtual asset trading platforms in Hong Kong now need to obtain a license from the Securities and Futures Commission to operate. This means that the project party must have the right people, financial resources, and risk management policies and procedures, just like traditional financial institutions. The new system will take effect next month on June 2023, 6.
The new regulation will expand the CSRC’s regulatory scope, allowing it to oversee more virtual asset trading platforms.
1. Application conditions:
If you plan to operate a virtual asset service in Hong Kong, you need to understand and comply with the requirements of the Hong Kong Securities and Futures Commission (SFC). This article will explain the key points of obtaining a virtual asset service provider (VASP) license.
1. Applicant Qualifications
To apply for a VASP license, a company must be incorporated in Hong Kong and have a permanent place of business. Individuals, overseas companies that are not Hong Kong companies, and companies such as partnerships and sole proprietorships that do not have independent legal personality are not eligible to apply for or obtain a VASP license.
2. Fit Test
The applicant, responsible officer (RO), licensed representative (if any), director and each person defined as an “ultimate owner” must satisfy the suitability and appropriateness test. The SFC will determine whether a person is a fit and proper person based on the following factors:
- Education and other qualifications and experience
- Financial Condition and Solvency
- Competence, Honesty and Financial Integrity
Applicants are required to have at least two SFC-approved responsible officers (ROs) to oversee the business, although it is not clear whether the SFC will require both responsible officers to be available locally to oversee the business, but generally, the SFC requires at least one responsible officer to be available locally at all times. They will ensure compliance with anti-money laundering and counter-terrorist asset raising regulations and other regulatory requirements. Develop internal anti-money laundering policies, procedures and controls, including risk assessment, customer due diligence measures, continuous monitoring of customers, suspicious transaction reporting, record keeping, and adequate training of employees on regulatory requirements.
II. Regulatory requirements
Protecting investors and ensuring market transparency
The regulator has set out a series of key requirements to ensure market transparency, investor protection and fair competition. The following are the main regulations:
1. Token Due Diligence
The CSRC provides a non-exhaustive list of general token admission criteria to help project parties evaluate when allowing virtual assets (VAs) to trade. These criteria include the background of the management and development team, the regulatory status of VAs in other jurisdictions, supply and demand, maturity and liquidity, security infrastructure, marketing materials, white papers, and the main risks and utility of VAs.
2. Token Admission and Review Committee
VASPs need to set up a token admission and review committee to decide whether to allow, suspend and revoke VA transactions on the platform and formulate relevant rules. The committee should be composed of senior management and report regularly to the VASP board of directors.
3. Customer asset custody and insurance
VASPs are required to store at least 98% of customer assets in cold wallets and purchase insurance based on the risks associated with custody. At the same time, VASPs are also required to check whether the insurance coverage is sufficient every day.
4. Smart Contract Audit
Security flaws or vulnerabilities in the smart contract layer of the proposed listed virtual assets should be audited by VASPs or independent auditors.
5. Product Information Disclosure
To enable customers to evaluate investment positions, VASPs should disclose sufficient product information, including price, trading volume, background information of the management team or developer, issuance date, terms and features, official website, smart contract audit report, and how voting rights attached to tokens are handled.
6. Preventing market manipulation
VASPs must establish policies and controls to identify, prevent, and report market manipulation or abusive trading activity and provide the SFC with access to their systems.
7. Regular reporting and auditing
VASPs are required to report their business activities to the CSRC on a monthly basis and submit annual audit reports.
Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT)Claim
1. Know Your Customer (KYC):VASPs need to collect more customer information to confirm and verify the customer's identity. This information may include IP addresses, geolocation data, and device identifiers. Where appropriate, VASPs also need to continuously monitor this additional information to identify suspicious transactions and take appropriate measures.
2. Travel rule:When processing virtual asset transfer transactions, project parties need to conduct due diligence on all parties to the transaction and identify and report suspicious transactions.
3. Non-custodial wallet:When the project party conducts transactions with non-custodial wallets, enhanced measures need to be taken, such as increasing monitoring intensity, accepting only whitelisted wallets, and setting transaction limits.
4. Prohibition of third-party deposits and withdrawals:The project party should prohibit customers from making any deposits or withdrawals to wallet addresses that are not owned by the customer and are not whitelisted.
5. Screen virtual asset transactions and associated wallet addresses:Project parties need to screen virtual asset transactions and related wallet addresses, including tracking transaction history, identifying suspicious wallets, and using blockchain analysis software for analysis.
6. It should be noted that traditional licensed companies engaged in virtual asset-related businesses or that may involve AML/CFT risks also need to comply with or consider the above regulations.
III. The CSRC’s supervisory powers and penalties
1. Routine inspections: The CSRC has the right to enter the business premises of licensed virtual asset service providers (VASPs) and their affiliated entities for routine inspections and require the production of relevant documents.
2. Investigation and Sanctions of Violations: The SFC is responsible for investigating all types of violations and, if any violation is found, will impose administrative sanctions, including censure, remedial action orders, civil penalties, and suspension or revocation of licenses.
3. Operational restrictions: When necessary, the CSRC has the right to impose restrictions and prohibitions on the operations of licensed VASPs and their affiliated entities.
4. Sanctions on virtual asset exchanges operating in Hong Kong without permission: If an exchange operates in Hong Kong without permission, or actively promotes the services of an overseas virtual asset exchange that is not licensed in Hong Kong to the Hong Kong public without reasonable excuse, it will be fined up to HK$500 million and imprisoned for up to seven years. If such behavior persists, an additional fine of HK$100,000 will be imposed every day.
5. Disciplinary sanctions against licensed VASPs and their responsible officers and senior management: The SFC will be granted extensive disciplinary powers against licensed VASPs and their responsible officers and senior management, such as public reprimands, license revocation, etc.
6. Regulations on virtual asset exchanges operating in Hong Kong: VASPs operating virtual asset exchanges in Hong Kong must obtain permission from the SFC, otherwise they will need to cease operations before March 2024, 3.
7. Regulations on virtual asset exchanges operating outside Hong Kong: If a VASP operating outside Hong Kong actively markets to investors in Hong Kong without obtaining permission from the SFC, it will be considered an illegal act.
8. Restrictions on the service objects of VASPs: In the initial stage of the implementation of the new licensing system, VASP licensed institutions can only provide services to professional investors.
9. Intervention in the operations of VASPs: The CSRC has the power to impose relevant prohibitions on the operations of VASPs, such as requiring them to conduct business in a specific manner, prohibiting them from engaging in certain transactions, and restricting the way they dispose of customer assets and other property.
IV. Transition plan for exchanges that have not yet applied for a VASP license
For virtual asset (VA) exchanges that have been operating in Hong Kong before June 2023, 6, they will be allowed to continue operating for up to 1 months without obtaining a VASP license. If these exchanges wish to continue operating in Hong Kong after these 12 months, they must submit an application to the SFC for a VASP license.
如果现有的虚拟资产交易所在2024年2月29日或之前向证监会提交牌照申请,即使在12个月的过渡期后(即2024年5月31日后)其牌照仍未通过,也将被允许继续运营,类似”登记牌照”。
This “registration license” status will remain valid until the CSRC grants or refuses to grant a license, or the exchange withdraws its VASP license application.
If the SFC considers that some applicants are not suitable for licensing, it has the right to notify them before the end of the transitional period that they do not meet the qualifications to be “deemed to be licensed”.
Finally, if an existing virtual asset exchange withdraws its licensing application or the SFC refuses to grant it a VASP license, the exchange will have at least three months to close its operations in Hong Kong, with the right to apply for an extension.