Tokenised securities: Hong Kong SFC issues important guidance for intermediaries

The remainder of this article provides further details regarding the Intermediaries Circular.

FURTHER DETAILS

Why did the SFC publish the Intermediaries Circular?

On 2 November 2023, the SFC published the Intermediaries Circular in order to clarify its regulatory expectations for SFC-regulated intermediaries that engage in securities-token related activities. The guidelines in the Intermediaries Circular are designed to provide regulatory certainty, support responsible innovation while ensuring appropriate safeguards are in place to protect investors. 

The Intermediaries Circular should be read in conjunction with the SFC’s circular on tokenisation of SFC-authorised investment products, which was also published on 2 November 2023. We will analyse that circular in a future article. 

The SFC notes that financial institutions have shown growing interest in tokenising traditional financial instruments and many intermediaries are involved in tokenising traditional securities, advising on them, dealing in them and/or distributing them to clients.  

The SFC is generally supportive of intermediaries engaging in tokenised securities-related activities because tokenisation has the potential to increase market efficiency and transparency while reducing settlement time and transactional costs. 

The Intermediaries Circular provides guidance to intermediaries on how to address and manage new risks associated with tokenisation so that the market for tokenised securities can develop in a healthy, responsible and sustainable manner.

What are tokenised securities?

According to the SFC, tokenisation is the process of recording claims on assets that exist on a traditional ledger onto a programmable platform that uses DLT. As such, for the purpose of the Intermediaries Circular, the term “tokenised securities” includes “securities” (as defined in Section 1 of Part 1 of Schedule 1 to the Securities and Futures Ordinance (“SFO”)) where ownership and other information are recorded using a blockchain or other DLT instead of a traditional central register of holders. 

The SFO broadly defines “securities” to include, among other things, shares, stocks, debentures, bonds, notes, interests in a collective investment scheme (“CIS”) and SFC-authorised structured products. Therefore, an example of a tokenised security is a bond where information of its bondholders is recorded on a blockchain. Please see our earlier article, which provides an introduction to tokenisation of securities and other investment products. 

The SFC notes that tokenised securities are a subset of “digital securities”.[3] Since the Intermediaries Circular mainly focusses on tokenised securities but not other types of more complex digital securities, we take the same approach in this article. 

The Intermediaries Circular apply to “intermediaries” that engage in “tokenised securities-related activities”. We look at each of these two key terms in turn in the context of the Intermediaries Circular. The term “intermediaries” primarily includes SFC-regulated licensed corporations and registered institutions that are licensed or registered to engage in securities-related regulated activities,[4] such as Type 1 (dealing in securities), Type 4 (advising on securities) and Type 9 (asset management) regulated activities. The term “tokenised securities-related activities” primarily includes:

• an intermediary issuing or being substantially involved in the issuance of tokenised securities that it will deal in or advise on;
• an intermediary dealing in or advising on tokenised securities; and
• an intermediary managing a portfolio that invests in tokenised securities.

The SFC’s “see-through” approach to tokenisation

The Intermediaries Circular reflects the SFC’s “see-through” approach to tokenisation, whereby it regards tokenised securities as being fundamentally traditional securities with a tokenisation “wrapper”. In light of this characterisation, and consistent with the SFC’s “same business, same risks, same rules” regulatory principle, the existing legal and regulatory requirements governing traditional securities and related activities also apply to tokenised securities.  

This means that, for example, unless an exemption is available, offerings of:

• tokenised shares or debentures are subject to the prospectus regime under the Hong Kong Companies (Winding up and Miscellaneous Provisions) Ordinance (“C(WUMP)O”); and
• other tokenised securities are subject to the offers of investments regime under Part IV of the SFO.  

In addition, distribution of tokenised securities, advising on tokenised securities, management of tokenised securities in the form of tokenised funds, management of funds that invest in tokenised securities, secondary market trading of tokenised securities on virtual asset trading platforms (“VATPs”) and other regulated activities are governed by existing licensing, legal and regulatory requirements for securities-related activities in Hong Kong. Please see our earlier article on VATPs.  

Intermediaries must adequately address new risks related to tokenisation

Although tokenised securities are simply traditional securities with a “tokenisation wrapper”, their use of blockchain and other types of DLT does give rise to additional risks. While it is true that the existing legal and regulatory requirements that apply to traditional securities-related activities also apply to tokenised securities-related activities, the presence of additional tokenisation-related risks affect how intermediaries should meet or satisfy these requirements. In essence, when discharging their legal and regulatory obligations in respect of their tokenised securities-related activities, intermediaries should adequately identify, disclose, manage and otherwise address risks that are unique to tokenised securities.

What does adequately address tokenisation-related risks actually entail, and which risks should intermediaries focus on?

We consider each of these issues in turn. In the Intermediaries Circular, the SFC provides detailed guidance on how intermediaries should address tokenisation-related risks both generally and when they are engaging in specific securities-related activities, such as activities related to the issuance of tokenised securities as well as dealing in, advising on, or managing portfolios that invest in tokenised securities. The SFC’s guidance can be summarised as follows:

• General compliance obligations: As a general matter, when engaging in any type of tokenised securities-related activities, intermediaries should:
  • have the necessary staff, resources and expertise to understand the nature of and new risks associated with the relevant tokenised securities and related activities and manage such risks appropriately; and
  • act with due skill, care and diligence, and perform due diligence on the relevant tokenised securities to identify the key features and risks of both the underlying traditional securities being tokenised and the tokenisation “wrapper”.
• Issuance:  When intermediaries issue or are substantially involved in the issuance of the tokenised securities that they will deal in or advise on:
  • they remain responsible for the overall operation of the tokenisation arrangement despite any outsourcing to third-party service providers/vendors such as technology developers, platform providers, wallet service providers, custodians and AML solutions providers; and
  • they should analyse the features and risks of the relevant tokenised securities in considering the most appropriate custodial arrangement for the tokenised securities to manage ownership and technology-related risks.
• Dealing, advising or managing portfolios:  When intermediaries are dealing in, advising on, or managing portfolios that invest in tokenised securities:
  • they must conduct due diligence on the issuers and the third-party service providers/vendors involved in the tokenisation arrangement and on the features and risks arising from such arrangement; and
  • they should understand and be satisfied with the controls implemented by the issuers and third-party service providers/vendors to manage ownership and technology risks associated with the relevant tokenised Securities before they engage in related securities activities.
• Information for clients:  When intermediaries distribute tokenised securities to clients or otherwise deal with clients:
  • they should adequately disclose material information (including risks) that are specific to the relevant tokenised securities and communicate in a clear and easily comprehensible manner; and
  • they should provide clients with material information on the tokenisation arrangement covering topics such as settlement finality, transfer restrictions, smart contract audits, administrative controls and business continuity planning as well as custodial arrangements.

Which key tokenisation-related risks should intermediaries focus on?

According to the SFC, the tokenisation-related risk associated with tokenised securities include, among other things, ownership, technology, cybersecurity, AML, legal, regulatory, custody, business continuity and data privacy-related risks.  Of these, the SFC places particular emphasis on the following:

• ownership risks relating to how ownership interests in tokenised securities are transferred and recorded;
• custody risks relating to the safety and security of custodial arrangements for tokenised securities and protections against the risk of loss; and
• technology risks relating to blockchain network outages, cyberattacks, “forks”, loss of cryptographic keys and unauthorised transfers.

The nature and degree of risks associated with tokenisation vary according to the type of blockchain or DLT being used. The common types of blockchain or DLT include:

• private-permissioned, being a closed-loop private network with a centralised authority that controls and restricts access to predetermined users only;
• public-permissioned, being a public network with a centralised authority that controls and restricts access through authentication; and
• public-permissionless, being an open and public network that does not restrict access and is characterised by features such as decentralisation, pseudonymity and a large number of users.

The SFC states that tokenised securities in “bearer form” issued using permissionless tokens on a public-permissionless DLT network may give rise to heightened risks that warrant careful consideration by intermediaries. According to the SFC, a tokenised security is in “bearer form” where a person with practical control of the token according to the blockchain records can exercise the rights of a securityholder, such as the right to receive repayment of principal in the case of a tokenised bond.   

Bearer tokenised securities that use a public and open blockchain network are more exposed to the risk of theft and hacking.  In addition, because bearer tokenised securities can be transferred more easily and anonymously than registered tokenised securities, they give rise to additional AML risks and know-your-customer (“KYC”) compliance issues. As discussed further below, the SFC requires intermediaries to consider additional issues when evaluating the custodial arrangements for bearer tokenised securities. 

However, to be clear, a bearer token is still possible in a permissioned ecosystem or using other in-built technological controls (eg, in the token standard used). As such, it is important to be careful with any labels.

How should intermediaries assess risks associated with tokenised securities?

To provide further guidance to intermediaries about how they should go about assessing technology, ownership and other risks associated with tokenised securities, Part A of the Appendix to the Intermediaries Circular sets out a non-exhaustive list of factors for intermediaries to consider when performing their risk assessment. The full list should be read in its entirety. At a very high-level, it covers issues such as the following:

How should intermediaries evaluate custodial arrangements for bearer tokenised securities?

As noted above, intermediaries should consider whether custodial arrangements for tokenised securities can appropriately address ownership and technology-related risks. Bearer tokenised securities pose heightened custody risks that warrant closer scrutiny by intermediaries. 

To provide further guidance to intermediaries about how they should evaluate custodial arrangements for bearer tokenised securities, Part B of the Appendix to the Intermediaries Circular sets out a non-exhaustive list of factors for intermediaries to consider when performing their risk assessment. The full list should be read in its entirety. At a very high-level, it covers factors such as:

SFC’s latest policy position since 2019

The SFC’s Intermediaries Circular supersedes its 2019 Statement on security token offerings (“STOs”) and represents a more welcoming attitude towards tokenised securities.[5]

Tokenised securities are not limited to professional investors

In the 2019 Statement, the SFC stated that security tokens offered in an STO should only be offered to professional investors. In contrast to security tokens,[6] tokenised securities are traditional securities with a tokenisation wrapper.  Applying the SFC’s “see-through” approach to tokenisation, since traditional securities can be offered, marketed and distributed to non-professional investors, the SFC takes the position that offers of tokenised securities should not be restricted to professional investors. However, the SFC reminds intermediaries that offers of securities to non-professional investors are generally required to comply with the prospectus regime under C(WUMP)O or the offers of investments regime under Part IV of the SFO, as applicable.   

Tokenised securities are not automatically classified as complex products

In a further departure from the 2019 Statement, the SFC now views  tokenisation as a mere “wrapper”, which should not automatically cause a security to become a complex product.[7] Complex product status triggers additional suitability and other more onerous compliance obligations for intermediaries. According to the SFC, provided that the additional risks associated with tokenisation are effectively addressed in the manner described in the Intermediaries Circular, whether a tokenised security is a complex product should be based on an assessment of the complexity of the underlying traditional security, having regard to the factors set out in applicable SFC guidelines.[8]

Intermediaries must give prior notice to and discuss with the SFC about their tokenised securities-related activities

Consistent with the 2019 Statement, the Intermediaries Circular states that intermediaries interested in engaging in tokenised securities-related activities should discuss their business plans with their SFC case officer in advance. Intermediaries should provide information requested by the SFC from time to time regarding these activities. If an intermediary is an AI regulated by the HKMA, it should discuss its plans with both the HKMA and the SFC. 

Other key considerations in structuring tokenised securities

In structuring a tokenised security, we also suggest taking into account issues such as:

• cross-border legal and regulatory considerations – for example, if the underlying assets are located in China Mainland, some cross-border equity and debt financing structures and related capital control issues will need to be carefully analysed (please see our earlier article for a discussion of potential PRC regulatory issues);
• regulatory capital treatment for banks – intermediaries that are banks or subsidiaries of banks should note that to be classified as Group 1a cryptoassets and thereby receive more favourable regulatory capital treatment, tokenised securities must satisfy a stringent set of classification conditions under the Basel Committee’s capital standards for banks’ cryptoasset exposures, which the HKMA plans to implement in Hong Kong.  Please see our earlier article on the Basel cryptoasset capital standards;
• stamp duty and other paper-based processes, as well as the application of the Hong Kong Electronic Transactions Ordinance (Cap. 553);
• any interaction with real-world assets – for example, if a token represents rights to a tangible asset, a sophisticated and tailored approach to its custody, management, any economic participation and documentation is needed;
• the availability and requirements of any secondary trading venue; and
• fast-evolving regulatory requirements, particularly in relation to stablecoins, which may be structured as securities.

Where can I learn more about tokenised securities, the Intermediaries Circular and related issues? Come speak to us

KWM’s bilingual financial regulatory, financial markets, structured products and international funds teams have extensive experience in advising financial institutions, fund houses and fintech companies on a broad range of matters related to tokenisation, virtual assets, emerging fintech and financial regulation. 

We are familiar with the unique and nuanced commercial and legal issues faced by financial institutions, asset managers and fintech companies in the fast-evolving regulatory landscape in Hong Kong, China Mainland, Australia, Europe and the United States. We can provide a range of support for your tokenisation project, including initial structuring strategy, advice on licensing and product authorisation requirements, fund formation as well as the preparation and negotiation of product offering and transaction documents.  

Come speak to us - we would be pleased to share our further insights with you.