On 20 February, the Hong Kong Securities and Futures Commission (SFC), the proposed regulator to oversee Hong Kong’s new virtual asset exchange licensing regime (VA Licensing Regime) released the eagerly awaited consultation paper (Consultation Paper) on the VA Licensing Regime.
The Consultation Paper sets out proposed regulatory requirements applicable to the VA Licensing Regime in the form of various draft guidelines (Regulatory Requirements). The SFC has invited market participants and interested parties to comment on the Regulatory Requirements by 31 March 2023.
This alert gives you a snapshot of the key things you need to know about the Consultation Paper, and what it means for your business.
It is structured as follows:
Please contact us anytime if you would like to discuss. We have a large team working with clients to ensure they are ready for the transitional arrangements and full licensing. We’re also actively working with industry bodies and clients on the consultation.
Part A – Key points to know
Where does this consultation fit in?
The VA Licensing Regime commences on 1 June 2023. The Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) sets out the overarching requirements and framework underpinning the VA Licensing Regime (see our alerts regarding the proposed AMLO bill and further updates).
The release of the Regulatory Requirements represents a key step for licensees (Licensed Providers) to understand and implement what needs to be in place ahead of 1 June 2023.
Scope of the Regulatory Requirements
The Regulatory Requirements are a unified framework for exchanges licensed under the AMLO and the Securities and Futures Ordinance (SFO) to ensure there is a consistent approach across the industry.
The Regulatory Requirements take the form of four key guidelines:
Key topics covered
The Regulatory Requirements covers minimum standards across the following areas:
In some instances, the requirements impose obligations on the Licensed Provider to ensure its affiliates (for example, its Associated Entity holding client assets), satisfy certain minimum standards.
What else do I need to know?
Upon commencement of the VA Licensing Regime, Licensed Providers must comply with the final form of the Regulatory Requirements at the relevant time.
Importantly:
- Regulatory Requirements are (near but) not final. Market participants are invited to respond to several questions and the Regulatory Requirements generally. Despite this, the Regulatory Requirements are a good indication of the position the SFC is likely to take on a number of key issues. See Part B for some key areas of focus for the industry.
- Regulatory Requirements will not be law. The Regulatory Requirements do not generally have the force of law, but will affect the interpretation of the AMLO and the ability to obtain and retain a licence. Failure to comply may result in disciplinary action and the refusal or loss of a licence (if a person is considered no longer “fit and proper”). In practice, this means Licensed Providers are expected to comply with the Regulatory Requirements strictly, as licensees.
- Regulatory Requirements will supersede previous virtual asset exchange requirements. Following 1 June 2023, the SFC will regulate the trading of security tokens via the existing securities licensing regime (SFO regime) and regulate non-security token trading under the VA Licensing Regime. The “Guidelines for Virtual Asset Trading Platform Operators” (VATP Guideline), which forms the key guideline under the VA Licensing Regime will apply to all Licensed Providers under both regimes. This means they will supersede the existing rules for exchanges licensed under the SFO, which we wrote about here. The SFC has implied an expectation that exchanges apply for both AMLO and SFO licences, but this is not strictly mandatory.
- Consolidation of requirements rather than total re-write. The Regulatory Requirements are long but consolidate many existing SFC concepts and requirements such that they are not totally new and unfamiliar. For example, the SFC has incorporated its guideline on competence into the VATP, albeit some modifications to reflect virtual asset practices and some greater flexibility. This means that many of the requirements are not surprising, although a close review is valuable – there are some important updates that may well require additional resource or benefit from feedback to the SFC.
Part B – A closer look at key thematic areas of the consultation
The following table summarises some of the most topical Regulatory Requirements:
Company requirements
Key requirement
|
Further detail
|
Example
uses 2
|
Who needs to be licensed? |
At a high level, the VA Licensing Regime is intended to capture centralised automated trading systems for virtual assets, where those assets come into the custody of the operator. A footnote to the Consultation Paper makes clear that order routers, bulletin boards and peer-to-peer platforms are not generally caught. This makes the regime a narrow one and will leave multiple platforms out of scope. The SFC pre-vets and oversees the Licensed Provider, plus their responsible officers (ROs) and licensed representatives (LRs). In addition, there is indirect oversight of substantial shareholders / owners, directors, other personnel and the Associated Entity that must hold its client assets. More on this below. |
|
Position on key activities |
Exchanges will be largely limited in relation to their exchange functions. The SFC has formed a view on several key points of particular interest to the market:
|
|
Pathway for retail |
Retail investors will be able to participate, but have more protections in place. Several requirements will capture all individuals regardless of net worth. Overall, there has been significant progress made on retail participation across multiple public and private consultations. A few key points:
|
|
Client asset protection |
Protection of client assets has long been a key focus area for the SFC. The key requirements include the following:
|
|
Financial resources |
Licensed Providers are required to maintain adequate financial resources, including paid-up share capital of at least HKD5,000,000 and liquid capital of at least HKD3,000,000. The Regulatory Requirements also stipulate holding liquid assets equivalent to at least 12 months of actual operating expenses. Critically, virtual assets are not counted. Complex additional rules apply to ensure adequacy. |
|
AML/CTF compliance controls |
As expected with an AMLO regime, the Licensed Provider is required to maintain adequate anti-money laundering and counter-terrorist financing (AML/CTF) policies, procedures and controls. This will in practice mean developing strong written policies and procedures for risk-based customer due diligence at onboarding, periodically and on trigger events, name screening, sanctions compliance, transaction monitoring and record keeping. The key VA industry specific requirements are set out in Chapter 12 of the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers) (AML/CTF Guideline), plus a thematic version for Associated Entities. Key points are summarised as follows. Compliance with the Travel Rule Similar to traditional wire transfer rules, Licensed Providers, whether as ordering, intermediate or beneficiary institution, are required to obtain, record and submit, as appropriate to the role, prescribed information relating to the originator and beneficiary (known as the Travel Rule). However, under the SFC’s traditional wire transfer rules, the only obligation on what to do with the information collected is to screen the parties involved in a cross-border transfer. The obligations on Licensed Providers under the Travel Rule go further than list screening (though screening is required). Licensed Providers are also required to have procedures to establish whether the counterparty is a VA transfer counterparty or an unhosted wallet with the requirements then flowing from the distinction. The first obligation for VA transfer counterparties is to identify whether the counterparty is “eligible” to deal with. The “eligibility assessment” includes understanding the:
Senior management approval is also required. In addition, Licensed Providers are required to assess whether the VA transfer counterparty can comply with the travel rule and conduct a form of risk assessment on the counterparty similar to a client risk assessment. Overall, the requirements are similar to those that apply to cross-border correspondent relationships and the AML/CTF Guideline directly references those rules as providing further guidance on conducting due diligence. Although onerous, due diligence only needs to be conducted on the VA transfer counterparty on the first transaction, unless there is a suspicion of ML/TF and then periodically as part of ongoing monitoring, it is not required on each transaction. For VA transfers to or from unhosted wallets, “extra care” is required. The same originator and recipient information must still be collected before the transaction takes place and a risk assessment must be conducted. Additional risk mitigation steps To mitigate the non-face-to-face nature of onboarding expected to be adopted by most Licensed Providers, they are encouraged to obtain the IP address with an associated time-stamp, geo-location data and device identifiers. Transaction monitoring On-chain analytics tools are expected to be used that:
|
|
Fit and proper requirements
Key requirement
|
Further detail
|
Example
uses 2
|
Fit and proper details - general |
The corporate applicant, officers of the applicant (including ROs, LRs, and directors), and the “ultimate owners” of the applicant must be “fit and proper”. The SFC has set out its prescriptive factors to assess whether a person is “fit and proper”. The criteria largely mirrors existing SFC requirements from the SFO regime, adapted to suit the virtual asset context. Several of the key factors include the financial status of the person, education and qualification and industry experience of the person, the ability to act competently, honestly and fairly, their reputation and character, and any there has been serious convictions (especially relating to AML/CTF or matters going to honesty and probity). The SFC has provided guidance as to what it will consider as part of each of these factors. |
|
Guidance on competence |
Competence forms a key pillar of the fit and proper assessment. The SFC has provided detailed guidance on the matters it will ascertain if a person is competent, and therefore “fit and proper”. In particular, in the context of the corporate applicant, the SFC will consider the applicant’s business model, governance arrangements, staff competencies, resources, internal controls, risk management framework, operations, and compliance framework as part of the application process. Licensed persons must be able to demonstrate that they satisfy the following competence requirements, which are more stringent in respect of responsible officers:
The precise exams that need to be taken depend on satisfaction of the other competence requirements and whether the person is a licensed representative or responsible office but by and large, the expectation is that regulated persons will sit the necessary RIQ or LRP, unless an exemption applies. Exemptions to RIQ and LRP requirements The SFC has introduced several exemptions to the RIQ and LRP requirements. The SFC will consider granting discretionary exemptions if the relevant person has comparable qualifications or industry experience, or the person agrees that they will pass an LRP within six months of the approval. Such discretionary relief may include the imposition of conditions. The SFC has also set out a list of full and condition exemptions from RIQ and LRP that responsible officers and licensed representatives may seek to rely on. Most of the exemptions are premised on the person having already the requisite industry qualification or local regulatory knowledge, either through past experience or holding the same licences. |
|
External attestations: legal opinions and EARs
Besides audit, there are two key forms of external attestation proposed:
If you are intending to apply for a licence soon, it is essential to start work as soon as possible to ensure your policies and procedures reflect the full gamut of the Proposed Regulatory Requirements and then fine-tuned as necessary to reflect the final version, to enable the EARs to be delivered in time. We are already working with several clients and have a full compliance suite available.
Disciplinary action
The SFC has also proposed Disciplinary Fining Guidelines under Appendix D of the Consultation Paper. The Guidelines indicate the manner in which the SFC will exercise its power to impose fines on regulated persons guilty of misconduct, or where regulated persons are, or were not, fit and proper.
Part C – Transitional arrangements
The AMLO contemplates exchanges operating in Hong Kong at the commencement of the VA Licensing Regime will obtain the benefit of certain provisions while they either apply for a licence or wind down their activities.
There are two aspects to the transition arrangements, summarised below:
GRACE PERIOD FOR EXISTING OPERATORS
|
DEEMING ARRANGEMENTS
|
Example
uses 2
|
A person will not contravene the requirement to hold a licence for the period until 1 June 2024 if the:
|
The VA Licensing Regime proposes a mechanism to deem persons as licensed, while their application is being assessed. An existing virtual asset exchange will not be considered to have contravened the AMLO and SFC rules between 1 June 2023 and 31 May 2024, if certain prescribed conditions are met. This means they will be able to continue to operate until they are licenced. See our alert (here) for a full list of the applicable conditions. Following this, if a person’s application is still being assessed, a person will be deemed licensed from 1 June 2024 until that application is formally approved (unless withdrawn or rejected). |
|
The Consultation Paper provides further guidance on the eligibility requirements to be deemed licensed, and a breakdown of key dates and implementation details.
If a virtual asset exchange is not eligible, then from 1 June 2023, it must not perform any virtual asset services in Hong Kong until its licence application is approved.
SFC registers
The SFC proposes to maintain public registers covering licensed, deemed licensed, closing-down and unlicensed platforms. The last of these is perhaps the most challenging in practice, given the limits of the proposed VA Licensing Regime and complex interpretational questions. We expect this to be a focus area in consultation responses to ensure fairness while still protecting the public from unscrupulous actors.
Part D – Next steps
Responses to the Consultation Paper are due by 31 March 2023. We encourage market participants to provide feedback given the Regulatory Requirements are not final.
From here, there is a short lead time to commencement of the VA Licensing Regime. We expect the SFC to swiftly confirm any changes and the final state of the Regulatory Requirements. In that time, we encourage those seeking to apply for a licence to take steps to:
- check the nature and scope of your business;
- check that you and your proposed regulated individuals are eligible for the transitional arrangements;
- prepare a high quality licence application;
- ensure policies, procedures and operations are in place;
- create all necessary compliant client agreements and disclosures; and
- arrange external legal opinions and EARs.
Other market participants, such as SFC-licensed corporations and HKMA-regulated banks will also need to consider the impacts of the new regime on their relationships with virtual asset exchanges and onboarding procedures.
Please contact us to discuss, anytime.
Any reference to “Hong Kong” or “Hong Kong SAR” in this article shall be construed as a reference to “Hong Kong Special Administrative Region of the People’s Republic of China”.