Authoritative application guide based on SFC official guidelines and Aiying's practical experience
success case
Professional experience
Policy interpretation
Service Network
The "VA1 license" is not a separate license type in the SFC's official catalogue. It is a market term specifically referring to a set of specific virtual asset terms and conditions imposed by the SFC on top of an existing Type 1 (Securities Dealing) license.
Compared with the independent VATP license, the VA1 license has a higher regulatory status and market recognition, which helps to enhance customer trust and business development capabilities.
• Same business: VA transactions are essentially the same as traditional securities transactions
• Same risks: facing similar market, credit and operational risks
• Same rules: Same regulatory standards and requirements apply
The SFC adopts a technology-neutral regulatory approach, focusing on the substance of the business rather than the technical form.
A dual licensing system based on the Securities and Futures Ordinance (SFO) and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO).
All supervisory requirements for traditional securities business apply, while adding risk management measures unique to virtual assets.
All regulatory requirements are centered on protecting the interests of investors and ensuring fair, transparent and orderly market operations.
“The SFC’s supervision adopts the principle of ‘same business, same risks, same rules’ – all existing traditional finance (TradFi) investor protection guardrails apply to virtual asset-related activities, which is also the approach currently advocated by international standard setters such as IOSCO and the FSB.”
—— Official statement from the SFC on February 19, 2025
Knowledge ultimately needs to be transformed into executable actions. This section provides you with a highly structured, actionable self-checklist and action guide.
Complete personnel inventory, formulate recruitment/training plans, and adjust organizational structure
• VA capability assessment of existing personnel
• Recruitment or internal training programs
• Organizational structure adjustment plan
Update core documents and develop VA project policies and procedures
• Business plan revision
• Compliance Manual Updates
• Private key management policy
• AML/CFT Policy Update
Prepare all application materials and supporting documents
• Personnel resume and training certificates
• Wallet operation mechanism description
• IT system assessment report
Submit your application through the WINGS system and actively cooperate with the review
• Application submission
• SFC inquiry response
• On-site inspection cooperation (if necessary)
• Implementation after approval
SFC's review logic is penetrating. It not only reviews the organizational structure on paper, but also deeply evaluates the actual competence of each key position personnel.
• Minimum number: no less than two ROs
• Permanent residency requirement: At least one RO must be permanently stationed in Hong Kong
• Dual license: It is recommended to have both SFO and AMLO qualifications
SFC's pragmatic approach:
Considering that the VA licensing system is still in its infancy and the market may lack talent with both VA and securities experience, the SFC will take a pragmatic approach in assessing the experience of ROs.
Ideal configuration – complementary experience
One RO is a senior securities compliance expert, and the other RO has a deep background in virtual assets.
Applicants with VA experience only
May be subject to a licence condition of "limited to VATP business"
Applicants with only Type 1 experience
May be subject to a "non-sole appointment" condition and must work under the supervision of an RO with VA experience
• Qualifying exams: LE Paper 1 & Paper 7
• Proof of VA knowledge: Completion of HKSI's CVAP course is recommended
New core knowledge areas
• On-chain transaction monitoring and analysis tools (Chainalysis, Elliptic)
• Travel Rule compliance process
• KYV (Know-Your-VASP) due diligence
Practical experience in handling suspicious transaction reports (STRs) involving virtual assets
VA Special Technical Requirements
• Wallet management architecture (98% cold storage requirements)
• Private key security management throughout the entire life cycle
• Network security defense (DDoS, smart contract vulnerabilities)
New risk dimension
• Technical and protocol risks (consensus mechanism, hard fork)
• Market and liquidity risks (slippage, liquidity depletion)
• Custody and counterparty risk (VATP cooperation risk)
Like ROs, LRs engaged in Type 1 business must pass HKSI's LE Paper 1 and Paper 7 examinations.
The Company has the primary responsibility to ensure that all LRs providing VA trading services to clients have received adequate internal or external training.
The training content should include:
• The basic principles and technical characteristics of the VA being traded
• Key risks associated with VA investments (volatility, liquidity, custody, cybersecurity)
• The company's VA transaction process and customer suitability assessment standards
• Relevant AML/CFT regulations
All training records, including course outlines, participants, assessment results, etc., must be properly kept and available for SFC inspection at any time.
| Position/Role | Existing No. 1 license plate basic requirements | New/enhanced requirements for VA1 licenses | Key checkpoints |
|---|---|---|---|
| Responsible Officer (RO) |
– At least 2 people – 3 years of experience in the securities industry – At least one person resident in Hong Kong – Pass LE Paper 1 & 7 |
– The number of employees remains the same, but there are new experience requirements – The RO team needs to have comprehensive knowledge and experience in virtual assets – At least one RO must have direct VA related experience – Completion of VA related professional training is highly recommended |
VA-related project experience, SFC license requirements, and training certificates in your resume |
| Licensed Representative (LR) | Have securities trading qualifications (LE Paper 1+7) | Must receive and complete internal or external training on virtual assets, covering products, risks and compliance requirements | Are LR training records and assessment certificates complete and available for review? |
| Key Function Managers (MICs) | Covering 8 core functions, such as compliance, risk control, IT |
Higher requirements for the professional capabilities of specific MICs: 1. MLRO: Need to understand on-chain analysis tools and Travel Rule 2. IT Manager: Must understand wallet security and private key management 3. Risk Manager: Need to understand VA-specific risks |
Organizational chart, job description (JD), resumes of key personnel |
Successfully obtaining SFC approval is not the end, but the starting point for a higher standard of compliance. Licensed corporations and their key personnel must fulfill a series of ongoing responsibilities.
Annual CPT training requirements
Regular reporting and independent audits
Major incident reporting mechanism
Continuous system improvement
CPT courses must be relevant to the functions performed by the licensee. ROs and LRs engaged in VA transaction services should include a significant portion of VA-related topics in their annual CPT program.
• Latest VA supervision developments (Hong Kong and major jurisdictions worldwide)
• Emerging blockchain technologies and security threats
• Latest developments in on-chain analytics and AML/CFT tools
• The structure and risks of new VA products (such as RWA tokenization and DeFi protocols)
Companies must keep detailed CPT records for each licensed individual, including course title, sponsoring institution, date, duration and content summary, and ensure that the records are retained for at least three years.
In addition to the required annual audited financial statements and periodic financial resource returns (FRRs), the SFC may require companies to disclose more clearly their financial status related to VA business in their reports.
The SFC has the power to require licensed institutions to submit regular reports on their VA business, which may include trading volume, number of clients, types of VA for major transactions, and major risk events.
The SFC expects institutions engaged in VA business to hire an independent third-party professional organization to audit their internal control systems and IT infrastructure annually, especially the effectiveness of wallet management systems, private key security processes, and network defense measures.
Any event that may have a significant impact on the safety of client assets, the financial soundness of the company or market stability must be reported to the SFC within 48 hours.
• Any cybersecurity incident involving client VA assets
• Major service interruption with partner VATP or technical service provider
• Discovery of significant internal fraud or violations of internal control procedures
• Significant financial losses that threaten the company's continued viability
• Any legal proceedings that may raise significant compliance risks
The company's compliance, risk control and IT departments should establish a regular review mechanism (for example, every six months or once a year) to systematically assess whether existing policies and procedures are still applicable and effective.
• SFC publishes new VA-related circulars, guidelines or FAQs
• FATF or other international standard-setting bodies update their standards
• New major risk events or attack methods emerge in the market
• The company plans to introduce new VA products, services or technologies
Any policy updates must be communicated to all relevant employees in a timely manner and supplemented with necessary training to ensure that the new policies are correctly understood and implemented.
As of January 2025, 6 companies have successfully obtained VA1 licenses
| Company Name | License number | Licensing date | Operational status |
|---|---|---|---|
| OSL Digital Securities Limited | BPJ213 | September, 2020 | In operation |
| Hash Blockchain Limited | GLP992 | September, 2022 | In operation |
| Hong Kong Virtual Asset Exchange Limited | BPW549 | September, 2024 | In operation |
| Hong Kong Digital Asset EX Limited | BUA970 | September, 2024 | In operation |
| Accumulus GBA Technology | BUA970 | September, 2024 | In operation |
| DFX Labs Company Limited | - | September, 2024 | In operation |
| Data source: Hong Kong Securities and Futures Commission (SFC) official website, last updated: January 2025. View official data | |||
Aiying (License.aiying.cc) specializes in the application and acquisition of global traditional finance and Web3-related licenses. With offices in Hong Kong, the UAE, and Europe, the company maintains in-depth communication and collaboration with local regulators, having successfully applied for and obtained licenses in Hong Kong for leading and mid-tier crypto and traditional institutions in the industry. Headquartered in Asia, the team brings together experts in operations, marketing, law, regulatory compliance, and accounting, adhering to client business objectives to provide comprehensive and in-depth strategies and solutions.
Based on SFC official guidelines and Aiying's practical experience, we provide the most authoritative application guidance.
Detailed self-checklist and document preparation guide to ensure that application materials are complete and accurate
100+ successful case experience summary, avoid common pitfalls and improve success rate
Integrate international best practices to ensure the forward-looking and adaptable compliance system
To maximize your success rate, Aiying conducts an internal mock review of your application package before formal submission. Our expert team acts as a supervisor, scrutinizing each document from the most rigorous perspective, identifying logical loopholes, document inconsistencies, and compliance gaps beforehand.
Through this mechanism, we can ensure that the information submitted to the regulatory authorities is highly professional, complete and impeccable, thereby minimizing the number of regulatory inquiries, significantly shortening the approval time, and reducing the license rejection rate by 67%.
In-depth analysis of the key points and latest developments in VA1 license application
