HK regulator tightens custody standards for virtual asset platforms

The Hong Kong Securities and Futures Commission has listed new key requirements and best-practice recommendations to protect client digital assets. 

On Friday, the commission published a circular for all licensed virtual asset trading platforms (VATPs) to guide the sector toward enhanced custody systems under the “ASPIRe” plan. It said from now on, VATPs will need to review and strengthen their custody practices, particularly after the series of incidents in recent months that have highlighted deficiencies in custody protection.

Dr Eric Yip, the SFC’s Executive Director of Intermediaries, even commented: “In order for Hong Kong to foster a competitive, sustainable and trusted digital asset ecosystem, client asset protection must always remain a top priority for all licensed VATPs, which can leverage the SFC’s practical guide to step up their custody practices especially amid heightened risks globally.”  

Hong Kong’s SFC warns of wallet vulnerabilities following incidents abroad

According to the SFC, its examination of VATPs exposed gaps in several operational controls. In June 2024, it identified three unregistered VATPs active in Hong Kong: Tokencan, VBIT Exchange, and HKD.com. At the time, it accused the firms of making deceptive claims, committing fraud, and providing misleading information to investors, many of whom struggled to access their funds later.

Earlier this year, it also found vulnerabilities in VATP cybersecurity, citing problems like inadequate network segmentation, outdated encryption methods, and lax access restrictions. After which, in late January, it issued requirements for the platforms to implement network segmentation protocols, robust access control frameworks, and round-the-clock monitoring. 

This Friday, it released a circular introducing additional requirements for VATPs, pointing to multiple custody failures abroad that exposed vulnerabilities in wallets, transaction verification procedures, and access controls. Per the commission’s findings, the main failures in wallet infrastructure and controls overseas involved breaches in third-party wallet solutions, inadequate transaction verification processes, and weak access management for approval devices. 

It also claimed that per the incidents, hot and cold wallets are all vulnerable, even when custody uses HSMs, MPC, or Multi-Sig methods, thus necessitating the new requirements. Additionally, it claimed the circular offers extra direction for Platform Operators, seeing that although most reported having core safeguards in their latest inquiry, several submissions were still inadequate.

It further noted that over time, the new measures will form the central guidelines for virtual asset custodians and help in creating a unified and effective framework for custody practices across the industry.

HKMA, SFC advise caution on stablecoin investments

On Thursday, the commission, alongside the Hong Kong Monetary Authority, also put out a joint statement responding to recent changes in the stablecoin market. The HKMA particularly emphasized that it follows a disciplined and prudent process, with relatively tough standards for granting stablecoin issuer licenses. On the other hand, the SFC claimed it will continue to observe trading activities in Hong Kong and implement safeguards where necessary. Nonetheless, both parties did encourage the public to be prudent, undertake in-depth research, and resist the temptation to invest solely based on market excitement or momentum.

Ms Julia Leung, Chief Executive Officer of the SFC, even stated that sudden price fluctuations of stablecoins only show that investors should be aware of all the risks involved and what they could potentially lose before investing. She also urged investors to be careful of even the prospects of asset gains advertised on social media. 

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.