The Hong Kong Monetary Authority (HKMA) has issued an important circular (Circular) outlining its expectations of “authorized institutions” (AIs) regulated under the Banking Ordinance (Cap. 155) when they engage in custodial activities for digital assets, including when they are:
- doing so while acting as an intermediary;
- doing so while distributing tokenised products; or
- providing standalone custodial services.
For Hong Kong locally incorporated AIs, the rules also apply to their subsidiaries.
The standards in the Circular are extensive and granular, while providing a degree of flexibility that is essential to reflect the broad spectrum of custody solutions and what “good practice” looks like as technologies evolve at a rapid pace.
The release of the Circular by the HKMA is timely and demonstrates the HKMA's commitment to promote the healthy development of the evolving digital asset ecosystem in Hong Kong, and foster responsible and secure operations for digital asset participants.
This alert provides a summary of the Circular. Please also refer to the regulatory chart in our 16 February 2024 alert that shows where this fits into Hong Kong’s overall framework for digital assets. The Circular is also issued against the backdrop of international efforts in this area, including, the International Organisation of Securities Commissions’ (IOSCO) Policy Recommendations for Crypto and Digital Asset Markets (November 2023) and the emergence of digital asset and blockchain-specific technical standards from the likes of the International Standards Organization (ISO).
Those already engaging in digital asset custody activities have six months (ending on 20 August 2024) to notify the HKMA and comply with the Circular. Those not already engaging in such activities must discuss their plans with the HKMA in advance and demonstrate compliance.
Application of the Circular
The Circular applies to digital assets[1] held on behalf of clients by AIs and the subsidiaries of locally incorporated AIs (client digital assets), with some exceptions. The following chart illustrates examples of what is in and what is out.
Defined broadly as “assets that depend primarily on cryptography and distributed ledger or similar technology”.
Critically, some of the standards in the Circular only apply to VAs and not to digital assets more broadly – this is an important distinction, as higher standards apply to VAs.[2]
Further details are set out below.
For example, the requirements set out in paragraph 11 of the Circular (also see the Annexure to this alert) are “generally required for an AI which holds client VAs”, whereas for other digital assets, an “AI may adopt a risk-based approach in the implementation” of the same.
NB. While the Circular does not directly mirror the language used in the Hong Kong Securities and Futures Commission’s (SFC) Guidelines for Virtual Asset Trading Platform Operators (VATP Guidelines) for exchanges regulated under the AMLO, the requirements in the Circular are largely consistent with the VATP Guidelines (specifically, Part X), save for a few areas. We also flag that the distinction between VAs and digital assets more generally in the Circular is not in principle available to VA exchanges in Hong Kong under the VATP Guidelines, which apply more broadly across the business and could cover more than VAs alone.
Governance and custodial standards set by the Circular
The following table summarises the standards set by the Circular. Many of these would be familiar from the VATP Guidelines (see here for a summary), as noted above.
A note on regulatory capital treatment of digital asset custodial activities
Although not specifically addressed in the Circular itself, the recent HKMA Basel cryptoasset standards consultation paper stated that custodial services involving the safekeeping or administration of client cryptoassets on a segregated basis do not generally give rise to Basel credit and market risk capital charges or Basel liquidity requirements. This is a welcome clarification and consistent with the Basel Committee’s global cryptoasset standards. However, also consistent with the Basel Committee’s global standards, custody services will attract operational risk capital requirements and risk management requirements under the HKMA’s Basel cryptoasset standards consultation. Please see our earlier article on the HKMA’s Basel cryptoasset standards consultation paper.
KWM’s deep digital asset custody experience
We have worked with multiple major custodians, banks, exchanges, securities firms and technology companies on their digital asset custodial arrangements over many years, including structuring compliant frameworks, creating and reviewing policies and procedures, client documentation for digital assets services, undertaking independent external reviews, licensing and training. We also regularly support clients in their engagement with the HKMA and the SFC.
Next steps
Please let us know if we can support you with any custody and other digital asset initiatives.
This alert is not legal advice. Digital assets involve complex areas of evolving law and regulation. Please contact us if we can assist you - we would be delighted to help. The authors also wish to acknowledge the valuable contributions of Nikita Ajwani and Shannon Hatheier to this alert.
Generally required procedures and controls for VAs are as follows. For other digital assets, a risk-based approach is possible:
- Generating and storing seeds and private keys, including backups, in secure and tamper-resistant environment and devices, such as hardware security module (HSM).
- Securely generating, storing and backing up seeds and private keys in Hong Kong.
- Strictly restricting access to cryptographic devices or applications on a need-to-know basis to authorised personnel with appropriate screening and training.
- Maintaining up-to-date documentation of how access is authorised and validated and access rights allocated.
- Using strong authentication methods, such as multi-factor authentication, to authenticate access to seeds and private keys.
- Maintaining audit trail of the access to the cryptographic devices or applications.
- Implementing robust controls to avoid any “single point of failure”.
- Putting in place controls to prevent and mitigate the risk of collusion among authorised personnel with access to the seeds and private keys.
- Having adequate offsite backups and contingency arrangements for seeds and private keys, which should be subject to the same security controls as the original seeds and private keys.
- Storing a substantial portion of client digital assets in cold storage unconnected to the Internet, unless otherwise justified (where client assets under custody are VAs, at least 98% should be in cold storage).
- Allowing deposit and withdrawal of client digital assets only through wallet addresses that belong to clients.
- Implementing measures to ensure that any smart contract used in the custody process is not subject to any contract vulnerabilities or security flaws to a high level of confidence.
- Maintaining an appropriate insurance or compensation arrangement to adequately cover any loss of client digital assets (where client digital assets under custody are VAs, an AI should have in place a compensation arrangement or insurance that covers potential loss of 50% of the client digital assets in cold storage and 100% of the client digital assets in hot and other storages).
We have been assisting VATPs, custodians and others work through very similar standards, assess their technology arrangements and create policies and procedures around them. In some cases, these standards require interpretation or indeed regulatory discussion, as there may be standards that are commensurate or even better in areas such as cold storage, HSM and resilient key/records storage.
