In Hong Kong, with the introduction of the Virtual Asset Service Provider (VASP) licensing system, exchange services are open to retail investors for the first time, marking a major step forward for Hong Kong in the field of virtual assets. This new system not only attracted many platforms and institutions to apply, but also introduced stricter compliance requirements to ensure that investors' assets are properly protected. In particular, the Hong Kong Securities and Futures Commission (SFC) requires exchanges to hold customers' funds and virtual assets in trust through wholly-owned subsidiaries, which means that exchanges need to hold both VASP licenses and TCSP (Trust or Company Service Providers) trust licenses. The TCSP license plays a key role in this system, providing a new business scenario for the independent custody of virtual assets and ensuring the security and independence of assets.
Recently, the U.S. Securities and Exchange Commission (SEC) approved a Bitcoin spot ETF, of which Coinbase became one of the eight custodians, which not only boosted its revenue growth, but also indicated that digital asset custody has become a key area of competition for powerful institutions. On February 8, 2024, the Hong Kong Monetary Authority (HKMA) issued guidelines on digital asset custody activities, providing clear governance and risk management, customer asset isolation and protection, entrustment and outsourcing standards for institutions applying for a virtual asset custody service provider license (TCSP).
In addition, with respect to standalone virtual asset custody business, the Hong Kong High Court’s Court of First Instance has confirmed in Re Gatecoin Ltd [2023] HKCFI 914 that virtual assets are “property” and “capable of trust arrangements.” Therefore, if the relevant virtual asset custody business involves an “express trust or similar legal arrangement” for virtual assets, the custodian must obtain a TCSP license issued by the Hong Kong Companies Registry, such as a wallet or custodian.
1. The latest application policy for Hong Kong virtual hosting service providers (TCSP)
(A) Requirements for applying for a Hong Kong TCSP license
- According to the Virtual Asset Service Provider Licensing System, the following conditions must be met to apply for a Hong Kong TCSP license:
- Is a company registered in Hong Kong
- Have good financial status and credit
- Have the right people and systems in place to manage virtual asset businesses (refer to the latest HKMA guidance on digital asset custody activities for details)
- Develop and implement effective policies and procedures to combat money laundering and terrorist financing
(B) The process of applying for a Hong Kong TCSP license is as follows:
1. Prepare application materials
2. Submit application to SFC
3. SFC review application
4. SFC decides whether to issue a license
5. Materials required to apply for a Hong Kong TCSP license
(C) The materials required to apply for a Hong Kong TCSP license include:
- expression
- Company registration documents
- Proof of financial status
- Personnel list and resume
- Policies and procedures to combat money laundering and terrorist financing
- Business Plan
- Technology Architecture
- Risk management measures (please refer to the latest HKMA guidelines on digital asset custody activities for details)
- Other materials required by SFC
- SFC review of application
(D) The SFC will review the application, including:
- Review whether the application materials are complete (refer to the latest HKMA guidelines on digital asset custody activities for details)
- Check whether the applicant meets the requirements
- Conduct on-site visits to applicants
(E) Review cycle
- The SFC will make a decision on the application within 6 months. If the SFC decides to grant a license, it will issue a license to the applicant.
(F) The latest policy puts forward the following new requirements for applying for a Hong Kong TCSP license:
- Applicants must have a registered capital of at least HK$500 million
- Applicants are required to hire at least two licensed responsible officers (ROs) to oversee the compliance of virtual asset businesses
- Applicants are required to formulate and implement effective risk management measures, including KYC/AML policies, transaction monitoring, information security, etc.
2024. Summary of the guidance on digital asset custody activities issued by the Hong Kong Monetary Authority on February 2, 20 (see the guidance link for details)
(A) Governance and risk management
- Before deploying digital asset custody services, authorized institutions must conduct a thorough risk assessment, establish and implement appropriate management policies, procedures and control measures to reduce these risks, and comply with relevant legal and regulatory frameworks. The management of the institution must ensure that the risks associated with custody activities are continuously and effectively monitored and mitigated before the launch of the service and during operation.
- Institutions should be equipped with sufficient resources, including expertise and manpower, to support effective governance and risk management. In addition, given the rapid changes in the digital asset industry, authorized institutions should also provide continuous training for employees involved in custody services to ensure that they have the necessary knowledge and skills.
- Institutions also need to establish clear accountability mechanisms, including specific role definitions, division of responsibilities and reporting systems, as well as develop policies and processes to identify and deal with potential or actual conflicts of interest. Finally, to ensure business continuity, authorized institutions should develop and maintain comprehensive backup and disaster recovery plans.
(B) Isolation of Customer Digital Assets
- To ensure the security and independence of customer digital assets, authorized institutions must strictly isolate these assets from their own assets and store them in designated customer accounts. This measure is intended to protect customer assets and prevent customer assets from being used to repay institutional debts when the institution faces the risk of bankruptcy or dissolution.
- The operations of authorized institutions on customer digital assets are strictly restricted and they are not allowed to transfer, lend, mortgage or impose any form of burden on customer assets without authorization. Any such operation can only be carried out when one of the following conditions is met: for transaction settlement or payment of customer arrears, the customer has clearly agreed in advance, or according to legal requirements. Institutions need to take effective measures to ensure that customer assets are only used for the agreed purpose and prevent any unauthorized use.
(C) Protection of Customer Digital Assets
Authorized institutions are responsible for ensuring that customers' digital assets are adequately protected and properly managed by establishing strong systems and controls to prevent asset loss, theft, fraud or any form of unauthorized access. This includes taking a risk-based approach to assessing and responding to various security threats, especially when using different types of distributed ledger technology (DLT), considering that public permissionless networks may pose higher security risks.
To this end, organizations must implement a range of security policies and procedures, including but not limited to:
- Ensure authorization and verification during the access, transfer and management of customers' digital assets, especially the secure management of seeds and private keys, covering the entire process of their generation, distribution, storage, use and destruction.
- Generate and store private keys and seeds in a secure environment, prioritize offline generation and storage to reduce the risk of network attacks, and adopt sharding technology to avoid single point of failure.
- Limit access to authorized personnel who have been properly screened and trained, and employ strong authentication methods such as multi-factor authentication.
- Strict audit trails of access to storage devices and applications, as well as off-site backup and contingency plans for mnemonics and private keys, ensure the security and recoverability of this critical information.
- Take additional measures to protect customer assets, such as keeping most assets in cold storage, ensuring that assets are deposited and accessed through customer-specified whitelisted addresses, and ensuring the security of smart contracts.
- Provide a secure user interface or portal for customers, implement effective customer authentication and notification controls, and follow the latest security guidelines.
In addition, authorized institutions should continuously monitor the latest developments in the security field, regularly evaluate the effectiveness of existing security controls, and update protection measures in accordance with industry best practices and international standards to ensure the security and reliability of customer digital assets.
(D) Delegation and outsourcing
- In the field of virtual asset custody, authorized institutions are faced with the important decision of choosing the right partner to delegate or outsource custody functions. The basic principle requires that these institutions can only delegate custody tasks to properly authorized institutions or virtual asset trading platforms holding corresponding licenses. In particular, for those unlicensed tokens operating on public unlicensed distributed ledger networks, the decision to delegate or outsource needs to be carefully evaluated.
- When determining a commissioned or outsourced partner, the authorized institution must conduct a thorough due diligence to assess the potential partner's financial status, reputation, management and technical capabilities, and its ability to comply with relevant legal and regulatory requirements. In addition, the authorized institution needs to ensure that the client or service provider can provide a secure and reliable solution without introducing any single point of failure, while ensuring that the legal rights of the client's assets are not affected under any circumstances.
- The authority should also ensure that effective monitoring and control mechanisms are in place to continuously assess the performance of the client or service provider. In addition, the emergency and disaster recovery plan should cover various situations that may interrupt the hosted service to ensure the continuous availability of the service.
- Ultimately, while delegation or outsourcing can bring about improvements in efficiency and professionalism, the authorized institution still needs to bear the ultimate responsibility and accountability for ensuring the security and compliance management of client assets, while maintaining the same level of systems and control standards as traditional financial activities.
(E) Risk Disclosure
Authorised institutions should fully and fairly disclose custodial arrangements to their clients in a clear and understandable manner, including:
- the respective rights and obligations of the Licensee and its customers, including the customer's ownership rights in its assets in the event that the Licensee enters bankruptcy or liquidation;
- Custody arrangements, including how customer digital assets are stored and segregated, the procedures and timing for accessing customer digital assets, and any applicable fees and costs;
- Indemnity arrangements to cover potential losses of customer digital assets due to security incidents or misappropriation;
- The commingling of client digital assets with other client assets, and the associated risks;
- The circumstances and arrangements under which the Authorized Institution will acquire legal and/or beneficial title to the Customer Digital Assets, or otherwise transfer, loan, pledge, re-pledge or create any security over the Customer Digital Assets, and the risks involved;
- How clients’ digital assets are handled in events such as voting, hard forks and airdrops, and their corresponding rights and interests;
- Authorised institutions should fully and fairly disclose to their clients their custodial arrangements, including the existence and nature of potential and/or actual conflicts of interest associated with their custodial activities.
(F) Recordkeeping and Reconciliation of Customer Digital Assets
- Authorized institutions should maintain appropriate books and records for each customer to track and record the ownership of customer digital assets, including the amount and type of assets owed to the customer and the movement of assets between customer accounts. Customer digital assets should be reconciled regularly and frequently on a customer-by-customer basis, taking into account relevant off-chain and on-chain records. Any discrepancies should be resolved promptly and escalated to senior management as appropriate.
- Authorized institutions should establish systems and controls to keep and protect all records related to custodial activities and should make those records available to the Hong Kong Monetary Authority in a timely manner upon request.
(G) Anti-money laundering and combating the financing of terrorism
Authorized institutions should ensure that their anti-money laundering and countering the financing of terrorism (AML/CFT) policies, procedures and controls are able to effectively manage and mitigate any money laundering and terrorist financing risks associated with digital asset custody activities. Authorized institutions should comply with the Anti-Money Laundering and Countering the Financing of Terrorism Guidelines (Applicable to Authorized Institutions) and the Hong Kong Monetary Authority's AML/CFT Guidance Document on Digital Asset Custody Activities.
(H) Requirements for continuous monitoring
Authorized institutions should regularly review their policies and procedures and conduct independent audits of their systems and controls and compliance with applicable requirements with respect to the custody of customer digital assets.
III. Difficulties and Challenges
Although the HKMA has issued guidelines for virtual asset custody activities, and the standards are clearer than before, and there is no need to speculate too much about the SFC's intentions, it is still a challenge to set up a virtual asset custody service company in Hong Kong that complies with the TCSP license requirements. For exchanges and wallet institutions that are already in operation, this process not only requires the thorough construction of an IT infrastructure, but also involves an in-depth understanding of regulatory policies, compliance assurance, integration of anti-money laundering measures, establishment of security control systems, and development of blockchain wallet technology. These tasks require a lot of legal advice, industry practice comparisons, and verification of operational feasibility.
In addition, Hong Kong's new policies have put forward higher requirements for the security of virtual assets, including the difficulty of obtaining full insurance coverage (this cost is very high, which makes many institutions discouraged), the time cost of establishing enterprise-level custody technology trust and third-party custody credit, and the complexity of regulatory requirements for implementing independent account custody. These challenges show the complexity of establishing a TCSP custody service provider in Hong Kong, but these problems can be overcome through careful planning and technological innovation. The key is to develop a comprehensive governance strategy based on a deep understanding of the business, covering personnel division of labor, operating rules and risk control measures to ensure that regulatory requirements can be met smoothly and projects can be implemented.
Statement: This article is an original article by Aiying. The copyright belongs to Aiying. It may not be reproduced without permission. Media authorized by the agreement must indicate "Source of the article: Aiying compliance" when downloading and using it. Violators will be held accountable according to law.