Hong Kong

[Aiying license] Must-read for Hong Kong financial license holders: The Ultimate Guide to Upgrading from Type 1 License to VA License (2025 Edition)

Posted on by Aiying
16
June

With the Hong Kong Special Administrative Region Government issuing policy declarations in October 2022 and June 10, clarifying its strategic positioning as a leading global virtual asset (VA) center, Hong Kong's financial regulatory landscape is undergoing a profound and rapid evolution. For hundreds of traditional financial institutions holding Type 2025 regulated activity (dealing in securities) licenses from the Securities and Futures Commission (SFC), this presents both unprecedented business expansion opportunities and a formidable compliance upgrade challenge.

Many licensed corporations are actively exploring ways to expand their business scope into the virtual asset sector, particularly by providing virtual asset trading services. However, this leap forward is not an easy one. It involves not applying for a completely new license, but rather a sophisticated expansion (upgrading) of the existing Type 1 license. In this upgrade, the SFC's top priority is undoubtedly staffing—in other words, whether the institution possesses the appropriate qualifications, experience, and capabilities to navigate this high-risk, technologically demanding emerging business.

This Aiying report aims to provide an authoritative and comprehensive guide for management, Compliance Officers (COs), and Responsible Officers (ROs) of licensed corporations holding an SFC Type 1 license. We systematically analyze and parse the personnel requirements required to upgrade from a traditional Type 1 license to providing virtual asset trading services (hereinafter referred to as a "VA1 license"), examining the regulatory agency's rationale and considerations, and providing a practical checklist. All information is based on the SFC's official guidance, latest circulars, consultation documents, and authoritative market case studies as of August 2025. Our goal is to help your organization navigate this crucial compliance transition with precision and stability.

 

I. A Quick Look at the Regulatory Framework: Understanding the Essence of the “VA1 License”

Before delving into specific staffing requirements, we must first clarify a fundamental concept: the "VA1 license" is not a separate license type in the SFC's official catalog. It is a market idiom that specifically refers to a set of specific virtual asset terms and conditions imposed by the SFC on top of an existing Category 1 (Securities Trading) license, allowing licensed institutions to engage in virtual asset-related trading activities. The underlying logic of this regulatory approach stems from the SFC's consistent regulatory philosophy:“Same Business, Same Risks, Same Rules”.

This principle means that regardless of whether the underlying assets traded are traditional stocks and bonds, or emerging virtual assets, as long as their business models (such as intermediary trading and providing trading advice) and the risks they pose (such as market risk, operational risk, and client asset security risk) are comparable, they must be subject to the same stringent oversight. Therefore, the SFC requires Type 1 licensees planning to provide VA trading services to establish an internal control system that is equivalent to, and in some areas (such as cybersecurity and asset custody) more stringent than, those in traditional securities businesses. This requirement directly translates into higher standards for personnel expertise and experience.

The voice of regulators:The SFC explicitly stated in its February 2025, 2, release: “The SFC’s supervision adopts the principle of ‘same business, same risks, same rules’ – all existing traditional financial (TradFi) investor protection guardrails apply to virtual asset-related activities, which is also the approach currently advocated by international standard setters such as IOSCO and the FSB.”

To accurately understand staffing requirements, it is crucial to distinguish between the "VA1 license" and the independent "VATP license." The two differ fundamentally in their regulatory framework, business model, and applicants:

In summary, the VA1 license upgrade path is essentially a specialized "plug-in" installation for existing brokerage operations. The SFC's core concern is whether the institution's "operating system" (i.e., its personnel and internal control systems) is ready to handle this complex and high-risk "new plug-in." Therefore, the staffing requirements discussed below serve as the specific specifications for this "operating system" upgrade.

 

1. In-depth analysis of staffing: core requirements for VAXNUMX license upgrade

This section forms the core of the report. Drawing on Aiying's experience assisting clients with license applications, as well as official SFC guidance, circulars, and market practices, we will comprehensively and systematically analyze the various staffing requirements associated with upgrading to a VA1 license. The SFC's review process is thorough, examining not only the organizational structure on paper but also the actual competence of each key position. Shortcomings in any aspect can lead to application delays or even rejection.

1. Responsible Officers (RO) — The cornerstone of supervisory responsibility

The Responsible Officer (RO) serves as the primary communication channel between licensed corporations and the SFC, bearing direct supervisory responsibility for the company's regulated activities. In applications for upgrading from a VA1 license, the RO's qualifications, experience, and stability are at the heart of the SFC's review and are crucial factors in determining the success of the application.

Quantity and architecture requirements

  • Minimum quantity:
    The SFC requires that every licensed corporation must, at all times, appoint "not fewer than two responsible officers" for each type of regulated activity it conducts. This fundamental principle remains unchanged for the upgrade to a VA1 license. This means that firms must ensure that at all times there are at least two responsible officers (ROs) overseeing their securities trading business involving virtual assets.
  • Permanent requirements:
    SFC regulations:At least one RO must be permanently stationed in Hong Kong, so that they can effectively monitor business operations and communicate with regulators at any time. In addition, the SFC usually expects this resident RO to also be the company's "Executive Director" to ensure that he or she has sufficient power and influence within the company to implement compliance policies.
  • Dual licensing considerations:
    While a VA1 license is an extension of a Type 1 license, its activities are subject to both the SFO (Securities Definitions) and AMLO (Anti-Money Laundering) regulations. If a company wishes to provide comprehensive intermediary services for both security and non-security tokens, the SFC strongly recommends that its RO obtain a dual license. Holding only an SFO license may limit the scope of an RO's activities. Therefore, the most robust structure is to have at least two ROs qualified under both the SFO and AMLO.

Experience and Competence Requirements

This is the most detailed and subjective part of the SFC review. The SFC not only requires ROs to have traditional financial industry experience, but also sets clear requirements for their in-depth understanding and practical experience in the field of virtual assets.

  • Traditional financial experience:
    As a Type 1 RO, applicants must still meet the SFC's basic threshold, which is to have at least three years of directly relevant securities industry experience in the past six years. This is an indispensable foundation.
  • VA Special Experience (Core Review Points):
    This is the key to success or failure in upgrading applications. SFC is aware of the scarcity of talent in the initial stage of the market and therefore adopts a so-called **pragmatic approach**.

    SFC's pragmatic approach:In the SFC's FAQs on competence, the SFC explicitly stated that, given that the VA licensing system is still in its infancy and the market may lack talent with both VA and securities experience, it will adopt a pragmatic approach to assessing RO experience.

    Specifically, SFC has the following expectations and approaches regarding the VA experience composition of the RO team:

    1. Ideal configuration - complementary experience:
      The SFC is most interested in a team of ROs with complementary experience. For example, one RO might be a seasoned securities compliance expert familiar with SFC regulations; another RO might have a deep background in virtual assets, perhaps holding a core position at a cryptocurrency exchange, VA fund, or blockchain technology company, with a deep understanding of VA trading, custody, wallet technology, on-chain analysis, and smart contract risks.
    2. Applicants with VA experience only:
      If an RO applicant's main experience comes from the VA industry (such as operating a non-security token platform) and lacks traditional securities experience, the SFC may recognize that his VA experience is equivalent to the relevant industry experience required for the Type 1 license. However, as a balance, the SFC may impose a condition (Licensing Condition) on the RO's license, namely"its licence is limited to providing services for the licensed VATP business of its principal (i.e. the licensed corporation to which it belongs)"

      This means he cannot engage in traditional securities business unrelated to the VA.
    3. Applicants with only Type 1 experience:
      On the other hand, if an RO only has traditional securities trading experience but no direct VA experience, the SFC may also recognize his securities experience. However, his license may be subject to“Non-sole” conditionThis means that the RO must work under the supervision of another fully qualified RO (i.e., one with sufficient VA experience) when performing VA-related duties.
  • How to prove VA experience:
    Verbal statements are not enough. Applicants must provide detailed, verifiable evidence in their resume (CV) and application documents, such as:
    • The name, time and scale of the specific VA projects you have participated in.
    • The role and specific responsibilities played in the project (for example, whether responsible for trading strategy, risk control, technical architecture or compliance review).
    • Types and sizes of VA assets managed.
    • Technical tools used (e.g., specific trading systems, wallet solutions, on-chain analytics software).
    • Specific cases handled (such as responding to drastic market fluctuations, handling fork events, investigating suspicious transactions, etc.).

Examination and training requirements

  • Licensing Examination (LE):
    All Type 1 licensed ROs must pass the qualifying examinations organized by the Hong Kong Securities and Investment Institute (HKSI), which include: This is a hard requirement unless the exemption conditions stipulated by the SFC are met.
    • LE Paper 1:
       Fundamentals of Securities and Futures Regulation
    • LE Paper 7:
       Financial markets (Financial Markets)
  • VA Proof of Knowledge:
    While the SFC currently does not have a mandatory independent VA examination for ROs holding a VA1 license, this does not mean there is no requirement. The SFC assesses the depth of an RO's understanding of the VA market during interviews and document reviews. Therefore, it is strongly recommended that all ROs, especially those lacking direct VA experience, complete SFC-approved virtual asset training as strong evidence of their competence.

    Industry Best Practices:The Hong Kong Securities and Investment Institute (HKSI)'s Certification Programme for Virtual Asset Professionals (CVAP) is one of the most recognized training programs on the market. This course covers core topics such as a VA market overview, product features, relevant regulations, and risk management. Completing the course and earning a certificate will significantly enhance the persuasiveness of your RO application. (Source: HKSI CVAP Core Curriculum)

2. Managers-In-Charge (MICs) — Extension of Professional Capabilities

In addition to the RO, who reports directly to the SFC, the SFC's MIC system requires that each of a licensed corporation's eight core functions be led by a clearly defined supervisor with appropriate skills and authority. While all MICs are required to understand the impact of VA on the business, the following positions have significantly higher professional competence requirements and are the focus of SFC scrutiny.

Compliance Officer (CO) and Money Laundering Reporting Officer (MLRO)

In the virtual asset sector, the complexity and risks of anti-money laundering and countering the financing of terrorism (AML/CFT) far exceed those of traditional finance. Therefore, the roles of COs and MLROs have become more important than ever, necessitating a significant upgrade in their knowledge base.

  • New core knowledge areas:
    • On-chain transaction monitoring and analysis:
      They must have a deep understanding of the coexistence of transparency and anonymity in blockchain, and be proficient in using professional on-chain analysis tools (such as Chainalysis, Elliptic, Notabene, etc.) to trace transactions, perform risk scoring, and identify suspicious activity patterns (such as the flow of funds through mixers (Mixers/Tumblers), high-risk exchanges, or darknet markets).
    • “Travel Rule”:
      Must be familiar with the Financial Action Task Force (FATF)Fatf) and ensure that the company has established a "travel rule" compliance process that meets the requirements of the Hong Kong SFC. This requires that when conducting VA transfers with a value of more than HK$8,000, the necessary information on both parties of the transaction (originator and beneficiary) can be collected, verified, stored, and transmitted to the counterparty VASP.
    • KYV (Know-Your-VASP):
      Before engaging in transactions with other virtual asset service providers (VASPs), you must be able to conduct comprehensive due diligence on them, assessing their place of registration, regulatory status, AML/CFTThe soundness of policies to manage counterparty risk.
  • Experience requirements:
    The SFC expects MLROs to have practical experience in handling suspicious transaction reports (STRs) involving virtual assets. This includes being able to clearly present the on-chain evidence and analytical logic of suspicious activities to the Joint Financial Intelligence Unit (JFIU).

Head of IT / Chief Information Security Officer (CISO)

The inherent digital nature of virtual assets exposes them to technical risks that differ significantly from those of traditional finance. The responsibilities of IT and cybersecurity leaders have expanded from maintaining traditional trading systems to encompass new areas such as protecting encryption keys and defending against on-chain attacks.

  • Core Responsibilities:
    Ensure the security of trading systems, customer data and, most importantly, customer virtual assets.
  • VA special technical requirements:
    • Safe Generation:
      Generate keys offline using a certified Hardware Security Module (HSM) or similar secure environment to ensure randomness and unpredictability.
    • Secure Storage:
      Backups of private keys and mnemonics must be encrypted and securely stored in Hong Kong in a physically isolated manner.
    • Access control:
      Multi-signature and layered authority mechanisms are used to ensure that no single person can unilaterally use customer assets.
    • Emergency Plan:
      Develop a detailed emergency plan for private key leakage or loss, including a process for quickly transferring assets.
    • Wallet management architecture:
      A deep understanding of, and the ability to design, implement, and maintain secure wallet systems is essential. This includes strictly adhering to the SFC's requirement for licensed VATPs to maintain 98% of assets in cold storage and properly managing the risks associated with hot wallets for the remaining 2%. (Source: VATP Guidelines, Para. 10.6(c))
    • Private key security management:
      This is of paramount importance. The responsible person must develop and oversee the implementation of a strict security policy that covers the entire lifecycle of private keys, including:
    • Network security defense:
      Experience and technical solutions are required to deal with targeted cyber threats, such as distributed denial of service (DDoS) attacks, smart contract vulnerability exploits, phishing, malware, etc. Regular third-party penetration testing and vulnerability scanning are mandatory compliance actions.

Risk Manager

Risk managers need to expand their vision from traditional market, credit and operational risks to cover the new risk dimensions brought by virtual assets.

  • New risk identification and management dimensions:
    • Technology and protocol risks:
      Understand and assess the inherent risks of specific blockchain protocols, such as the security of the consensus mechanism, transaction finality issues, potential vulnerabilities in smart contract code, and the risks to asset security and value volatility that may arise from hard forks or network upgrades.
    • Market and liquidity risks:
      In addition to high price volatility, one must also pay attention to the differences in liquidity depth of specific tokens on different exchanges, the risk of slippage, and the potential for liquidity depletion under extreme market conditions.
    • Custody and counterparty risk:
      Conduct rigorous due diligence and continuous monitoring of the licensed VATP and any third-party technology service providers (such as wallet technology providers) to assess their security, compliance and financial soundness.
    • Operational risks:
      Develop specific operational procedures for VA transactions, such as preventing “fat finger” errors, handling failed on-chain transactions, and ensuring the security of asset transfers between hot and cold wallets.

3. Licensed Representatives (LR)

Licensed representatives are the frontline personnel who directly face clients and execute trading instructions. Although the SFC's experience review of LRs is less stringent than that of ROs, it also has clear requirements for their knowledge level and compliance awareness.

  • basic requirements:
    Like ROs, LRs engaged in Type 1 business must pass HKSI's LE Paper 1 and Paper 7 examinations.
  • VA Knowledge Requirements:
    The Company has primary responsibility for ensuring that all LRs providing VA trading services to clients receive adequate internal or external training. Training should at least include: All training records, including course outlines, participants, and assessment results, must be properly maintained and readily available for inspection by the SFC.
    • The fundamentals and technical characteristics of the VA being traded.
    • The key risks associated with VA investments, particularly volatility, liquidity, custody and cybersecurity risks.
    • The company's VA transaction process and customer suitability assessment criteria.
    • Relevant AML/CFT regulations.

 

III. Ongoing Responsibilities and Compliance Maintenance after License Upgrade

Successfully obtaining SFC approval to include virtual asset trading in the scope of business under a Type 1 license is not the end, but rather the starting point for a higher standard of compliance. Licensed corporations and their key personnel must fulfill a series of ongoing responsibilities to ensure continued compliance in a dynamic regulatory environment. Failure to comply with these ongoing obligations may result in severe disciplinary action, including fines, suspension, or even revocation of licenses.

Continuous Professional Training (CPT)

The SFC requires all licensed individuals, including ROs and LRs, to complete a specified number of CPT hours each year to ensure their knowledge and skills are up to date. For licensed individuals involved in VA business, the CPT requirements are more specific.

  • Content relevance:
    CPT courses must be relevant to the functions performed by the licensee. Therefore, ROs and LRs engaged in VA transactions should include a significant portion of VA-related topics in their annual CPT program. These topics may include, but are not limited to:
    • The latest VA regulatory developments (Hong Kong and major jurisdictions worldwide).
    • Emerging blockchain technologies and security threats.
    • The latest developments in on-chain analytics and AML/CFT tools.
    • The structure and risks of new VA products (such as RWA tokenization and DeFi protocols).
  • Record keeping:
    Companies must keep detailed CPT records for each licensed individual, including course title, sponsoring institution, date, duration and content summary, and ensure that the records are retained for at least three years for review by the SFC.

Regular reporting and independent audits

Transparency and external verification are key elements of SFC regulation. A company's reporting and auditing obligations increase when engaging in VA business.

  • Financial Reports:
    In addition to submitting annual audited financial statements and regular financial resource returns (FRRs) as required, the SFC may require companies to disclose more clearly in their reports the financial status related to VA business, such as VA assets held (as part of the company's assets), related income and expenses, etc.
  • Business Report:
    The SFC has the power to require licensed institutions to submit regular reports on their VA business, which may include trading volume, number of clients, types of VA for major transactions, and major risk events.
  • Mandatory independent audits:
    This is a notable feature of VA business supervision. In accordance with the spirit of the VATP Guidelines, the SFC expects institutions engaged in VA business to hire an independent third-party professional organization to audit or review their internal control systems and IT infrastructure annually. For VA1 license holders, this may particularly focus on:
    • IT systems and network security:
      In particular, the effectiveness of wallet management systems, private key security processes, and network defense measures.
    • Compliance and risk control processes:
      The implementation of AML/CFT policies, especially the effectiveness of on-chain transaction monitoring and customer risk assessment.

Major incident reporting mechanism

The high volatility and technological risks of the virtual asset market require licensed institutions to have a high degree of risk sensitivity and rapid response capabilities. Establishing an effective major incident reporting mechanism is mandatory.

  • Reporting deadline:
    In the event of an incident that may have a significant impact on the safety of customer assets, the financial soundness of the company or market stability, it must be handled within a very short period of time (for example, some security incidents requirewithin 48 hours) report to the SFC.
  • Event Scope:
    Major incidents that require reporting include, but are not limited to:
    • Anything involving the client's VA assetsCybersecurity incidents, such as hacker attacks, private key leaks, or unauthorized access.
    • Major service interruptions or security issues with licensed VATPs or key technical service providers.
    • Discovery of significant internal fraud or violations of internal control procedures.
    • Significant financial losses that threaten the company's continued operations.
    • Any legal proceedings or regulatory investigations that may give rise to significant compliance or reputational risks.

Dynamic updates to policies and procedures

The virtual asset industry and regulatory landscape are evolving at a breakneck pace. Static compliance manuals quickly become outdated. Therefore, ongoing policy review and updates are essential.

  • Regular review:
    The company's compliance, risk control and IT departments should establish a regular review mechanism (for example, every six months or once a year) to systematically assess whether existing policies and procedures are still applicable and effective.
  • Triggered updates:
    When the following situations occur, the relevant policies should be updated immediately:
    • The SFC publishes new VA-related circulars, guidelines, or FAQs.
    • FATF or other international standard-setting bodies update their standards.
    • New major risk events or attack methods emerge in the market.
    • The company plans to introduce new VA products, services, or technologies.
  • Employee Communication and Training:
    Any policy updates must be communicated to all relevant employees in a timely manner and supplemented with necessary training to ensure that the new policies are correctly understood and implemented.

 

IV. Practical Checklist and Action Guide: Your VA1 License Upgrade Roadmap

Theoretical knowledge must ultimately be transformed into actionable actions. In this chapter, Aiying aims to provide you with a highly structured, actionable self-checklist and action guide to help you systematically assess your current situation, identify gaps, and plan your upgrade path from the existing No. 1 license to the VA1 license. All content is extracted from official SFC documents andAiyingPractice summary.

Overview of key personnel changes (Type 1 vs. VA1 license)

The following table visually illustrates the key changes and enhancements to core personnel requirements after upgrading from a traditional Type 1 license to a VA1 license. This can serve as a starting point for your internal capability review.

 

V. Conclusion: Compliance is the cornerstone, talent is the key

The successful upgrade of a Type 1 license to a VA1 license is a critical step for traditional financial institutions to maintain their market competitiveness in the digital asset era. While the SFC's regulatory framework is stringent, its core logic is clear and consistent: ensuring adequate investor protection through rigorous rules and upholding the stability and reputation of Hong Kong's financial markets. Within this framework, all sophisticated systems, processes, and technologies ultimately rely on people for design, implementation, and oversight. Therefore, building a team that possesses both a deep understanding of traditional financial compliance and specialized knowledge and risk awareness in the virtual asset sector is the only and most reliable path to success. This is not merely a passive measure to meet SFC licensing requirements; it is an inherent requirement for businesses to thrive in the high-risk, high-reward VA market of the future. Aiying recommends that prospective applicants initiate internal personnel assessments as soon as possible, viewing the recruitment and development of talent as a strategic investment. With the conclusion of the new round of regulatory consultation for VA dealers and custodians on August 2025, 8, Hong Kong's virtual asset regulatory landscape will be further refined. Disclaimer: This article is based on publicly available information and reference materials as of August 29, 2025. It is for general reference and academic purposes only and does not constitute legal, financial, or investment advice. The regulatory environment for virtual assets is still evolving rapidly. Specific application requirements should be based on the latest official guidance and regulations issued by the Hong Kong Securities and Futures Commission (SFC). Before taking any action, please consult Aiying.

Aiying