What you need to know about VATP regulation in Hong Kong

04Mar2024

Hong Kong is a virtual asset hub, with a number of Web3 businesses operating in and from Hong Kong or targeting the Hong Kong market. In this overview, Pádraig Walsh and Shirley Kong from the Fintech practice group of Tanner De Witt review the regulation of virtual asset trading platforms (VATP) in Hong Kong.

Part 1: A review of cryptocurrency regulation before VATP regulation

The history of cryptocurrency typically starts with the origin story of Satoshi Nakamoto, followed by the murky beginnings of the Silk Road marketplace, through the wild west ICO days, the rise of crypto titans, and to the nascent mainstream integration and institutionalisation of cryptocurrency. A hero’s journey.

But there is another storyline. This is the story of regulation. It does not have the same highs and lows. Rather it is a story of pragmatic evolution and sometimes slow progress. It is a story worth telling. It is the story of the turtle, not the hare.

International regulatory developments

The story of the regulation of virtual asset service providers (VASPs) has its roots in measures to combat money laundering and terrorist financing. These areas of regulation require an international approach. Bad actors using emerging technologies for illicit purposes will often use jurisdictional forum shopping as one of their strategies. International organisations such as the Financial Action Task Force (FATF), International Organisation of Securities Commissions (IOSCO), Financial Stability Board (FSB), Bank of International Settlements (BIS) and International Monetary Fund (IMF) have all looked at cryptocurrency. For quite a long time.

FATF

FATF began to focus on virtual assets in 2014,[1] which led to formal guidance on virtual currencies issued in 2015.[2]  A key element of the 2015 guidance was the focus on the on and off ramps to traditional finance systems. This theme has remained constant since then, and has been supplemented by the rapid evolution of a variety of business models, including transactions entirely within the virtual domain.

FATF introduced the terms virtual asset and virtual asset service provider (VASP) to the vernacular in 2018, and made clear that FATF standards for anti-money laundering (AML) and counter-terrorist financing (CTF) applied to VASPs, including in respect of virtual-to-virtual transactions. Since then, there have been regular recommendations,[3] guidance notes and reports to provide detailed analysis on how to apply AML and CTF measures to virtual assets. These explained the application of a risk-based approach to virtual asset activities, and in particular, recommended licensing or registration systems for effective regulation and supervision.

This culminated in the publication of the Updated Guidance: A Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers in October 2021. This comprehensive paper included a detailed outline of FATF expectations on customer due diligence, record-keeping, transfers and the travel rule, and suspicious transaction reporting.

The work of FATF has been the main driver behind regulatory developments for virtual assets globally, including Hong Kong. As a global financial centre, it will always be vital for Hong Kong to be seen as contributing to and leading regulatory developments that provide enhanced AML and CTF measures. This context helps to explain why the legislative changes to enable the regulation of VASPs in Hong Kong appear in the Anti-Money Laundering and Counter-Terrorist Financing Ordinance[4] (AMLO). Regulators have viewed virtual assets through the lens of AML and CTF from the outset.

Other international bodies

The emergence of virtual assets attracted the interest and engagement of numerous other international bodies.

IOSCO first reported on distributed ledger technology in 2017.[5] IOSCO specifically addressed virtual asset trading platforms (VATPs) in its Consultation Report in 2019,[6] and identified key risk areas such as customer onboarding, custody, conflicts of interest and market integrity. In 2022, IOSCO established a board-level fintech task force, with a brief that included developing and implementing a regulatory agenda for virtual assets – dividing the work between crypto and digital assets (CDA) and decentralised finance. The CDA committee has produced a consultation report inviting responses to a comprehensive range of regulatory measures applying to VASPs.[7] The report highlights the global nature and unique characteristics of the market for virtual assets, and the need to robust regulatory standards and international regulatory co-operation. IOSCO is ultimately seeking optimal consistency in how virtual asset and securities markets are regulated, in accordance with the principle of “same activities, same risks, same regulatory outcomes”. This is a phrase the SFC in Hong Kong has often repeated.

IOSCO is of particular interest because in the period between 2016 and 2022, the CEO of the SFC in Hong Kong, Ashley Alder, also held the role of chair of the board of IOSCO. So, during the rapid emergence of virtual assets as an asset class of regulatory concern, the person chairing IOSCO was also leading the SFC.

The FSB, an international body formed by the G20, monitors and gives recommendations on the global financial system. The FSB reviewed the implications of virtual assets for financial stability in a report published in 2018,[8] noting the reputational risks to financial institutions and their regulators, risks arising from exposures of financial institutions, and risks arising if virtual assets become widely used in payments and settlement. This analysis was supplemented by a further report in 2022.[9] In the relatively short period of four years, the FSB noted that the trajectory of growth in scale and interconnectedness of virtual assets to financial institutions could have implications for global financial stability.

The BIS and the IMF have likewise been researching and publishing papers on virtual assets for a number of years.

Hong Kong regulatory developments

The sandbox

The Hong Kong story for regulation of virtual assets began in earnest with the announcement in November 2018 of a new approach to regulating virtual assets.[10] In his accompanying speech, Mr. Alder, then CEO of the SFC, introduced the topic by reference to the top priority given to virtual assets at IOSCO and the FSB. The risks associated with virtual assets referenced in the formal SFC regulatory statement,[11] were practically a name-check of the risks that were identified in earlier IOSCO and FATF papers – volatility, auditing, security and custody, market integrity, money laundering, conflicts of interest, and fraud.

A key legal challenge to regulation of virtual assets was whether and how the SFC could exercise legal jurisdiction. The remit of the SFC extended (at that time) to the regulation of securities and futures contracts. VATP operators only providing trading services for virtual assets not falling within the definition of securities were not regulated. The other driving concern was whether VATPs were suitable for regulation. The SFC noted that VATPs were technically, structurally and qualitatively different from traditional stock and futures exchanges. The particular concern here was whether AML and CFT standards could be adhered to by VATPs.

Accordingly, the SFC started with an opt-in approach for centralised VATPs that provided trading, clearing and settlement services for virtual assets, and exercised control over investors’ assets. VATPs that proceeded would undergo a minimum 12-month review period in a sandbox environment before any formal application for regulatory approval could be submitted. From the VATP perspective, not a project for the faint of heart. For the regulators, baby, but positive, steps.

VATP licences for securities

12 months is a long time in the world of virtual assets, but a short time in regulatory developments. In that relatively short period, the SFC concluded that some types of centralised virtual asset trading platforms could be held to regulatory standards similar to those required of licensed automated trading service (ATS) providers or brokers.

On 6 November 2019, the SFC announced it was open to receive applications for licences from VATPs that include “at least one security crypto asset or token for trading”.[12] The applicable legislation was the Securities and Futures Ordinance[13] (SFO), and the relevant licences were for Type 1 (dealing in securities) and Type 7 (providing automated trading services) regulated activities. The regulatory framework[14] addressed for the first time in a comprehensive set of rules topics such as custody, AML and CTF, market integrity, acceptance criteria, and insurance. The VATP could only offer services to professional investors. This was still an opt-in system.

Even for those who opted in, there were still significant gaps. The regulatory framework only applied to VATPs that traded securities. If a virtual asset traded on a licensed platform was a security token, the authorisation process for an offer of investment and the prospectus registration regime in Hong Kong would not be triggered as the token could only offered to professional investors.

This was still a bold step for the SFC. The conservative approach might have been to delay until legislative changes occurred to broaden the remit of the SFC. The SFC determined that this conservative option would not serve the public interest.

The SFC noted that the time required for processing a licensing application from a VATP may be longer than for a standard licensing application. The first licence was granted on 15 December 2020. The second licence was granted on 9 November 2022. This was a licence for the few, not the many.

AMLO

The next important development was the announcement of the legislative response to bring virtual assets that are not securities under the regulatory remit of the SFC. One of the key drivers remained the push made by the FATF toward greater regulation of the virtual asset space, particularly by adopting recommendations and standards that required jurisdictions to license VASPs to enforce the same range of AML and CTF obligations upon VASPs as apply to financial institutions.

Following a public consultation exercise, AMLO was amended to introduce the new VASP licensing regime into law. The specific virtual asset service subject to regulation was – no surprise – centralised VATPs, and the designated regulator for the new regime was – no surprise – the SFC. The changes to AMLO were gazetted on 24 June 2022 and became effective on 7 December 2022.

The legislative changes achieved the regulatory objective of having a VATP environment where substantially all cryptocurrency exchanges operating in Hong Kong must be licensed, even if they only deal with virtual assets that are not securities or futures contracts.

VATP licences for non-securities

Following a brief consultation period, the SFC announced and published its regulatory requirements for licence applications for VATPs on 1 June 2023.[15]

It is a comprehensive, prescriptive regime. Many of the notable features, though, have been present from the start. The regulatory object remains a level playing field and unified system of regulation for VATPs. The SFC specifically states that, as a virtual asset’s classification may change from a non-security token to a security token (or vice versa), VATPs should apply for licences under both the SFO and AMLO regimes. The general guidelines[16] address in detail the priority regulatory concerns of market integrity, custody of assets, insurance, and conflicts of interest. AML and CFT Guidelines[17] are extensive, and contain comprehensive guidance on customer due diligence, record-keeping, transfers and the travel rule, suspicious transaction reporting, and other AML and KYC concerns for virtual assets.

Conclusion

Hong Kong is a jurisdiction with an open-mind to virtual assets, and has public government policy statements recording its vision for Hong Kong to be a global and regional hub for virtual asset businesses.[18] The regulators in Hong Kong are recognised as being at the forefront of initiatives to prudently regulate virtual assets. This leadership has been very much in step with the international developments in virtual asset regulation, and indeed Hong Kong regulators have been instrumental in leading and developing those international initiatives.

This does not translate to a soft regulatory environment. Instead, the benchmark set by the SFC for the VATP licence approval is high. This is consistent with the status of Hong Kong as a global financial services centre. That status is only accorded to jurisdictions that apply rigorous regulatory standards that ensure market integrity and stability and provide investor protection. The VATP licensing regime has been designed to maintain Hong Kong’s global position and standing.

The SFC is mindful that granting a VATP licence is a tacit endorsement of the licence holder. Those who are licensed will attract the confidence of investors. Nonetheless, this remains a licence for the few, not the many. A VATP licence will be difficult to obtain and maintain. Deservedly so.

The VATP licensing regime in Hong Kong is not a new initiative pieced together to cast some rules around a novel market opportunity. The seeds were sewn several years ago in collaboration with international regulators, and progressed pragmatically through incremental developments, market consultations and legislative changes. It is part of a long-term vision. Regulators in Hong Kong rightly saw virtual asset market development as a marathon, not a sprint, and the role of the regulator to be the turtle, not the hare.

Part 2: The regulatory perimeter

It is possible to apply to the Securities and Futures Commission (SFC) in Hong Kong to obtain a licence to engage in activities relating to virtual assets. However, not all virtual asset services are regulated and require a licence from the SFC. So, the key question is what virtual asset services trigger this licensing requirement.

VASP regulation

Ask a person outside Hong Kong what services are regulated in respect of virtual assets, and the person might propose these five service lines:

1.  exchange between virtual assets and fiat currencies;

2. exchange between one or more forms of virtual assets;

3. transfer of virtual assets, that is to say, to conduct a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another;

4. custodian wallet provider; and

5. participation in, and provision of, financial services related to an issuer’s offer or sale of a virtual asset or both.

These are the services outlined for the regulation of VASP by FATF.[19] These are further expanded to ten possible service lines in the Markets in Crypto-Assets Regulation (MiCA) adopted by the EU.[20]

The position in Hong Kong is different. The key requirement of the VASP regime in Hong Kong is that a person must not carry on a business in Hong Kong of providing a virtual asset service, or hold himself out as doing so, unless the person holds a licence from the SFC to do so[21] . This restriction will also apply to persons outside Hong Kong that actively market the virtual asset service to the public in Hong Kong. However, the only virtual asset service presently regulated under the VASP regime in Hong Kong is the operation of a centralised virtual asset trading platform (VATP). In Hong Kong, for now, VASP regulation is, in effect, VATP regulation.

What are virtual assets?

A virtual asset is a cryptographically secured digital representation of value, typically in the form of a digital token.

The virtual asset must fulfil three core characteristics to be a virtual asset within the scope of regulation under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO)[22]. These characteristics are that the virtual asset:

(a) is expressed as a unit of account or a store of economic value;

(b) either:

(i) is used or intended to be used as a medium of exchange accepted by the public for paying for goods or services, discharging of debt or making investments. These are the typical characteristics of payment tokens; or

(ii) provides rights, eligibility or access to vote on the management, administration or governance of affairs, or the terms, of any arrangements in relation to the virtual asset. These are the typical characteristics of governance tokens; and

(c) can be transferred, stored or electronically.[23]

The SFC can supplement the characteristics necessary for a regulated virtual asset, and the Secretary for Financial Services and the Treasury can prescribe a particular virtual asset to be a regulated virtual asset.

Carve-outs

A virtual asset will not be regulated under AMLO if the virtual asset is:

(a) issued by a central bank or government, or its related entity;

(b) a limited purpose digital token;

(c) a security or futures contract (which is regulated separately under the Securities and Futures Ordinance[24]); and

(d) constitutes a float or stored value facility deposit of a stored value facility (which is regulated separately under Payment Systems and Stored Value Facilities Ordinance[25]).[26]

Again, the SFC can supplement the characteristics necessary to be excluded from the scope of a regulated virtual asset, and the Secretary for Financial Services and the Treasury can expressly exclude a virtual asset from the scope of regulation.

Limited purpose digital tokens

Limited purpose digital tokens are:

(a) customer loyalty or reward points;

(b) in-game assets; or

(c) digital representations of value that are similar to a customer loyalty or reward point or in-game asset, and which are not intended by its issuer to be convertible into money or another medium of exchange accepted by the public.[27]

Customer loyalty or reward points

These are digital representation of value that:

(a) are not denominated in any currency;

(b) have as their dominant purpose to promote the purchase of goods or the use of services which are provided by its issuer or any merchant specified by its issuer;

(c) are issued to a person on the purchase of those goods or the use of those services; and

(d) may only be used by the person for the payment, part payment or exchange of those goods or services.[28]

Generally, only closed loop customer loyalty and reward points will fall within the scope of the exception. Examples of customer loyalty and reward points are mileage points, credit card reward schemes or reward campaigns in shops and shopping malls.

In-game assets

These are digital representation of value that:

(a) is purchased or otherwise acquired by a person;

(b) is not denominated in any currency;

(c) is issued as part of a game; and

(d) may only be used by the person to pay or exchange for:

(i) virtual objects or services in the game;

(ii) similar things within or in relation to the game; or

(iii) similar things that is part of the game.[29]

Examples of in-game assets are gaming coins or points for upgrading or entitlement to more resources within the gaming environment. 

Are NFTs considered to be virtual assets?

The issue of whether NFTs are virtual assets regulated under AMLO must be assessed according to the function of the NFT in the context of the definition of a virtual asset in AMLO.

An NFT will be unlikely to fall within the definition of a virtual asset under AMLO if the NFT is merely a genuine digital representation of a collectible. This type of NFT is unlikely to be considered as being a unit of account or a store of economic value, nor to be a medium of exchange accepted by the public or a token that provides holders with rights, eligibility or access to vote. In short, an NFT that is only a digital representation of a collectible (and nothing more) is not a payment token nor a governance token.

Regulated activities

The scope of regulated activities in relation to provision of services of virtual assets under AMLO (VA Service) includes:

(a) carrying on a business of a VA Service or holding out as such;

(b) issuing an advertisement relating to an unlicensed person’s provision of VA Services; and

(c) actively marketing VA Services.

What is a VA Service?

The only VA Service regulated under AMLO presently is the operation of a VA exchange, that is, a VATP.

What is a VATP?

A VATP must fulfil three characteristics, being:

1. The services must be provided through electronic facilities. The nature of the electronic facilities is not explained further in AMLO.

2. The services must comprise[30] either:

(a) regularly making and accepting offers to sell or purchase virtual assets in a way that forms or results in a binding transaction; or

(b) introducing or identifying persons to each other in order that they may negotiate or conclude sales or purchases of virtual assets in a way that forms or results in a binding transaction.

This language is similar to the language used in the SFO to describe the regulated activity of automated trading services in respect of securities or futures contracts.

3. In the course of providing the services, the client money or client virtual assets must come into the direct or indirect possession of the operator of the VATP. Client money and client virtual asset[31] is money or virtual assets received or held by the operator on behalf of its client, or in which the client has a legal or equitable interest (or any accretion to those assets). This is a characteristic of a centralised exchange.  

There are certain virtual asset arrangements that do not fall within the regulatory scope of a VATP under AMLO. These include[32]:

(a) peer-to-peer platforms, as these platforms do not involve a centralised party providing intermediation activities to investors; or

(b) order routing facilities and simple bulletin boards, as these platforms do not involve the use of automated trading engines.

The licensing requirement

A company or other business entity that carries on a business of operating a VATP that constitutes a VA Service, or holds itself out as such, must have a licence from the SFC permitting it to do so.[33]

An individual that performs any regulated function in relation to a business of operating a VATP that constitutes a VA Service, or holds himself out as such, must have a licence as a licensed representative from the SFC permitting him to do so.[34] A regulated function is generally considered as a function performed for or on behalf of the VATP in relation to the regulated services of the VATP[35], but excludes normal work done by an accountant, clerk or cashier[36].

Actively marketing a regulated activity

Generally, no person may actively market to the public of Hong Kong any services which would constitute a regulated VA Service if provided in Hong Kong, unless that person is licensed by the SFC to do so. Critically, a person who markets a regulated VA Service to the public in Hong Kong, but from a place outside Hong Kong, must still obtain a licence from the SFC in Hong Kong before conducting that active marketing activity. This provision has extra-territorial effect.

Relevant factors that indicate that a person is actively marketing to the public in Hong Kong include whether:

(a) there is a detailed marketing plan to promote the services;

(b) the services are extensively advertised via marketing means such as direct mailing, advertisements in local newspapers, broadcasting or other “push” technology over the internet (as opposed to where the services are passively available e.g. on a “take it or leave it” basis);

(c) the related marketing is conducted in a concerted manner and executed in accordance with a plan or a schedule, which indicates a continuing service rather than an one-off exercise; and

(d) the services are packaged to target the public of Hong Kong, such as being written in Chinese and with values denominated in Hong Kong dollars.

Advertisements

Unless an exemption applies, a person is not permitted to issue or have in his possession for the purpose of issue:

(a) an advertisement or a document showing an advertised person holding himself out as being prepared to provide a VA Service. This can be a newspaper, brochure, circular, notice or a prospectus; and

(b) which the person knows the advertised person is not licensed for the VA Service.[37]

Conclusion

One of the most interesting features of the VASP regulatory regime introduced in Hong Kong is that the regulatory perimeter is quite narrow. The only regulated activity for which a licence is needed from the SFC for virtual assets that are not securities is the operation of a VATP. There is no requirement for a licence to provide a custodian wallet service for virtual assets that are not securities, nor for advice in respect of the offer or sale of such virtual assets.

This unusual feature was addressed by the Financial Services and Treasury Bureau of the Hong Kong government in its consultation conclusions to the changes to AMLO to introduce the VASP regime[38]. A VATP is the most prevalent and developed industry area in Hong Kong in the virtual asset space. Other virtual asset activities noted by FATF are not significant in the Hong Kong market, and their fund movements can be monitored for AML/CTF purposes where they interface with financial institutions. This is an evolving area, and this current form of VASP regulation may be a comma, rather than a full stop. More regulation will follow as the market evolves. There is flexibility in the licensing regime in AMLO for new regulated activities for virtual assets to be supplemented as the need arises in the future.

In Hong Kong, for now, VASP regulation is, in effect, VATP regulation.

Part 3: The VATP transitional arrangements

The regulation of virtual asset trading platforms (VATP) was introduced in Hong Kong at a time when a number of these trading platforms were already operating in Hong Kong. The Securities and Futures Commission (SFC) has helpfully outlined a roadmap to facilitate those businesses, or others looking to enter the Hong Kong market, to understand the path to the single licensing regime for securities and non-securities virtual asset trading platforms contemplated by the SFC. This is particularly important as, unless the benefit of transitional arrangements apply, effective from 1 June 2023 VATPs carrying on its business in Hong Kong or actively marketing services to Hong Kong investors without a valid licence will be in breach of the licensing requirements in Hong Kong. The transitional arrangements are set out under the licensing regime under the Anti-Money Laundering and Counter-Terrorist Financing (Amendment) Ordinance (Cap. 615 of the Laws of Hong Kong) (AMLO Regime).

Eligibility to the transitional arrangements

The transitional arrangements are designed to provide sufficient time for pre-existing VATPs to comply with the requirements of the AMLO Regime, or otherwise wind down their operations in an orderly fashion.

A pre-existing VATP means a VATP that was in operation in Hong Kong with a meaningful and substantial presence before 1 June 2023. These are the relevant factors the SFC will consider in assessing whether a VATP qualifies as a pre-existing VATP:

  • Was the VATP incorporated in Hong Kong?
  • Did the VATP have a physical office in Hong Kong?
  • Did employees in Hong Kong have central management and control over the VATP?
  • Were the key personnel based in Hong Kong?
  • Was the centralised trading platform’s operation live with considerable number of clients and genuine trading volume in Hong Kong?

Eligible entities would typically include platform operators currently licensed under the Securities and Futures Ordinance (Cap. 571 of the Laws of Hong Kong) (SFO), and VATP applicants under the existing SFO regime which have commenced trading non-security tokens in Hong Kong.

Individuals performing regulated functions for qualified pre-existing VATPs can also benefit from the transitional arrangements.

Transitional arrangements

Transitional arrangements only apply to the trading of non-security tokens. There are no transitional arrangements for VATPs dealing with security tokens. These activities are already regulated under the current SFO regime.

The transitional arrangements consist of two stages. There is a non-contravention arrangement from 1 June 2023 to 31 May 2024, and then a deeming arrangement from 1 June 2024 until the application is approved, refused, or withdrawn.

There are three possible scenarios arising from the transitional arrangements:

1. a pre-existing VATP may wish to apply for a VATP licence,

2. a pre-existing VATP may choose not to apply for a licence, and

3. a platform operator that is not a pre-existing VATP may wish to apply for a VATP licence.

1. Pre-existing VATPs applying for a VATP licence

Eligible pre-existing VATPs that intend to continue operations in Hong Kong should submit a licence application before 29 February 2024. These businesses are permitted to operate in Hong Kong during the non-contravention period from 1 June 2023 to 31 May 2024. This means pre-existing VATPs that intend to continue their business in Hong Kong can continue to carry on or hold themselves out as carrying on a business of operating a virtual asset trading platform during this period without committing an offence under AMLO regulation for conducting a regulated activity without a valid licence.

In its VATP licence application to the SFC, the VATP must confirm that:

(a) it has been operating a pre-existing VATP in Hong Kong immediately before 1 June 2023; and

(b) it will, on being deemed to be licensed, comply with the regulatory requirements applicable to a licensed VATP, and have arrangements in place to ensure such compliance. 

After the application is submitted, the applicant may benefit from the deeming arrangement. The deeming arrangement will apply if the SFC is satisfied, in addition to the confirmations made in the application, that the platform operator has a reasonable prospect of successfully showing to the SFC that it is capable of complying with the relevant legal and regulatory requirements. An applicant that is deemed to be licensed can carry on the operations of their trading platform in Hong Kong while its licence application continues to be considered and finalised by the SFC. This is the case even though the applicant is not yet in fact licensed as an authorised VATP in Hong Kong pending the result of their application.

Application outcome

The SFC may consider that not all the requirements of the licence application are met or the VATP does not have a reasonable prospect of successfully showing that it is capable of complying with the relevant requirements. Then, the SFC may issue a notice informing the applicant that it will not qualify for the deeming arrangement and will therefore withdraw its application, subject to the applicant’s right to object. The SFC will have to issue a notice of its decision by the end of the non-contravention period. In this event, the applicant must proceed to close down its business by 31 May 2024 or within three months of the issuance of the notice (whichever is later).

Alternatively, the SFC may consider that the application meets the deeming conditions. In this case, no notice will be issued and the applicant will automatically be deemed to be licensed from 1 June 2024 until its licence is approved, withdrawn or refused (whichever is earlier). The VATPs or individuals deemed to be licensed or approved should observe the relevant legal and regulatory requirements under the AMLO Regime as if they were formally licensed or approved (including the financial resources and soundness requirements). Deemed VATPs and individuals will be subject to the SFC’s supervisory, disciplinary, intervention and other applicable powers. 

Individuals

The transitional arrangements also apply to an individual performing or holding himself out as performing regulated functions for pre-existing VATPs. Those individuals may continue to operate in Hong Kong during the non-contravention period without committing an offence under AMLO regulation for conducting a regulated activity without a valid licence.

If the individual wishes to benefit from the deeming arrangements after 1 June 2024, then then individual must apply to be a responsible officer or licensed representative of a pre-existing VATP, and in the licence application must confirm that:

(a) he has been performing a regulated function in Hong Kong for a VATP (whether operating in Hong Kong or elsewhere) immediately before 1 June 2023 (in the case of responsible officers); and

(b) he is performing a regulated function in Hong Kong for the pre-existing VATP at the time of application (for both responsible officers and licensed representatives).

The individual must also confirm that he will, on being deemed, comply with the regulatory requirements that apply to individuals under the AMLO Regime.

2. Pre-existing VATPs not intending to apply for a licence

If a pre-existing VATP does not wish to apply for a licence in relation to the trading of security tokens and non-security tokens, then it should wind down its business in an orderly fashion. The ultimate deadline for ceasing the regulated activity is 31 May 2024. During the winding-down time, the VATP must not conduct further active marketing of their services to Hong Kong investors.

3. New VATPs to Hong Kong

VATPs not operating in Hong Kong immediately before 1 June 2023 in a meaningful and substantial manner should not carry on the business or actively market the VATP business to Hong Kong investors until they are formally licensed by the SFC. They may submit the application any time after 1 June 2023. In other words, they are not entitled to benefit from the transitional arrangements.

Dual licensing regime

The SFC strongly recommends and expects VATPs to seek approvals under both the AMLO Regime and the SFO regime. New applicants must submit a consolidated application online. Those already licensed by the SFC or with pending SFO applications will only need to submit information additionally required under the AMLO Regime.

Public lists of VATPs

There are currently five lists published on the SFC’s website indicating the following regulatory status of VATPs:

  1. Licensed VATPs: These are VATPs that are formally licensed under the SFO regime, AMLO Regime or both.
  • VATP applicants: These are VATP applicants whose licence applications have yet to be approved by the SFC.
  • VATP applicants with applications turned down: These are VATPs whose application has either been returned or refused by the SFC, or withdrawn.
  • VATPs closing-down: These are VATPs who have been requested to close down within a specified period and therefore should not engage in any business activity.
  • Deemed licensed VATPs: These are VATP applicants who are deemed to be licensed as of 1 June 2024, but are not yet formally licensed as platform operators.

Conclusion

The VATP regulatory regime in Hong Kong is moving to a single playing field for all virtual asset trading platforms. Pre-existing VATPs can benefit from helpful transitional arrangements to allow continued operations either while preparing a licence application or while closing their operations in Hong Kong. This is a helpful bridge for those who qualify for the transitional arrangements. However, VATPs should not readily assume they are qualified pre-existing VATPs, and all VATPs – whether operating in or entering the market – must ensure their current operations are lawful and permitted in Hong Kong.

Part 4: The VATP licence application

A business that operates a centralised virtual asset trading platforms (VATP) in Hong Kong, or actively markets the business to persons in Hong Kong, must obtain a licence from the Securities and Futures Commission (SFC) in Hong Kong. This is good news. There is a clear path to a regulated and licensed means of conducting business as a VATP in Hong Kong. Businesses should be aware that the regulatory approach in Hong Kong is to provide a clear, prescriptive set of rules. The regulatory bar is high.

The regulatory framework at a glance

There is a dual regime in Hong Kong for the regulation of VASPs operating VATPs. One regime applies to the offering of the trading of security tokens. This activity will require the VASP to apply to the SFC to obtain both Type 1 (dealing in securities) and Type 7 (automated trading services) licences under the Securities and Futures Ordinance[39] (the “SFO regime”). The other regime applies to the trading of non-security tokens. This activity will require the VASP to apply to the SFC to obtain a licence under Part 5B of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance[40] (the “AMLO regime”).

The regulatory approach is to impose the same requirements under both regimes to the extent practicable, so as to create a single, level playing field for the operation of VATPs in Hong Kong. The SFC expects that VASPs who are licensed under the SFO regime must also hold the corresponding licence under the AMLO regime, and vice versa.

Under both regimes, licensees are required to comply with the following guidelines, in addition to any other applicable SFC codes and guidelines:

1. Guidelines for Virtual Asset Trading Platform Operators (“VATP Guidelines”);

2. Guideline on the Anti-Money Laundering and Counter-Financing of Terrorists (“AML Guidelines”) for licensed corporations, VATPs and their associated entities; and

3. Disciplinary Fining Guidelines.

The AMLO regime does not apply to over-the-counter virtual asset trading activities or virtual asset brokerage activities that do not involve an automated trading engine and ancillary custody services.

The licence application

The SFC has published application forms for applicants who wish to seek licences under the dual regulatory regime, which can be accessed on this link. The forms outline the key information and supporting documents to be submitted with the application.

These are three key features:

External assessor reports: The SFC requires a qualified external assessor to be involved early in the process to review the policies and procedures of the VATP, and advise on system implementation and enhancement or rectification measures. The external assessor must produce a report (Phase 1 Report) to be submitted together with the licence application form, and the report must confirm that there is a reasonable prospect of the applicant fully complying with all SFC requirements for the VATP on the grant of a licence. A second report from a qualified external assessor confirming full compliance with SFC requirements will be needed before the grant of the VATP licence (Phase 2 Report).

The external assessor must have relevant qualifications and experience to review at a granular level the implementation of all expected regulatory requirements. The external assessor report requires a multi-disciplinary approach. It includes a review of technology infrastructure, cybersecurity, operational controls, and AML standards. It is not a document-only policy review.

Not four ROs: One individual may be concurrently approved under both the SFO regime and AMLO regime. A dually-licensed platform operator is not required to maintain four different responsible officers.

Apply for both regimes: The SFC encourages applicants to apply for approvals under both the existing SFO regime and the AMLO regime on the basis that the classification of a virtual asset as a security token or a non-security token changes from time to time. The SFC commented that withdrawing a token previously admitted in light of the change of status may not be in the best interests of clients and should only be the last resort.

Key operational areas to consider before licence submission

There are a number of key areas that the SFC will focus upon in the assessment of licence applications by VATPs. Many of these risk areas remain critical areas for review as ongoing obligations once the VATP licence has issued.

1. Retail access

There are two key considerations for VATP operators before they consider retail access:

(a) First, as a global consideration, VATP operators must have robust investor protection measures covering onboarding, governance, disclosure and token due diligence and admission.

(b) Then, as an individual consideration, VATP operators must ensure retail investors understand the features of the tokens, and the associated risks before trading. This requires a suitability assessment.

2. Onboarding requirements

The SFC’s view is that most virtual assets are high risk, and so are only suitable for clients who have a high risk tolerance. A VATP operator must conduct a holistic assessment on the suitability of its clients at the onboarding stage, with a particular emphasis on retail clients. A VATP operator should assess the knowledge of investors in virtual assets, with the limited exception of institutional and qualified corporate professional investors. The assessment must take into account a client’s personal circumstances, risk tolerance and knowledge about nature and risks of virtual assets. The assessment should also review and consider the level and extent of virtual asset training or courses the client has taken, and the client’s current or previous work experience in this space.

3. Token admission and review committee

A VATP operator must establish a token admission and review committee with clear policies and procedures for the purpose of admitting, suspending or withdrawal a virtual asset for trading.

The members of the committee must be those principally responsible for managing the business, and must include, in particular, the managers-in-charge of the compliance, risk management and information technology departments of the VATP operator. There is no requirement to appoint independent external members to the committee, provided that adequate policies and procedures are in place.

4. Token due diligence

A VATP operator is required, without exception, to exercise due skill, care and diligence in conducting due diligence on each virtual asset prior to admission for trading. The due diligence process must be organised so that the source of information in relation to each virtual asset is the issuer, where possible. The information on virtual assets obtained in due diligence should be disclosed accurately, and not in a biased, misleading or deceptive manner. The overall objective is to ensure the information obtained is reliable and sufficient for the committee to make its decision on the token admission.

General token admission criteria include:

(a) The platform operator should consider the regulatory status of the token before being admitted for trading, but should also be mindful of compliance with local laws and regulations in every jurisdiction in which platform operator or its affiliates provides trading services;

(b) There must be at least a 12-month track record in respect of newly launched non-security tokens;

(c) There must be a smart contract audit for smart-contract based virtual assets. The smart contract audit may be conducted either by the VATP operator or an independent assessor;

(d) If token trading is to be offered to retail investors:

(i) where the token is a non-security token, there must be a legal opinion confirming that fact; and

(ii) where the token is a security token, the offering must comply with the prospectus regime under the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32) and the offers of investments regime under Part IV of the SFO.

Specific token admission criteria include:

(a) Tokens must have high liquidity; and

(b) Tokens must be eligible large-cap virtual assets included in at least two acceptable indices issued by two independent index providers. This is a basic minimum requirement. The index providers should be internationally recognised, and be independent of the issuer and of the platform operator. One of the index providers must have prior experience in publishing indices for the traditional securities markets.

5. Gifts and other benefits

A VATP operator must have an anti-bribery and corruption policy that deals with gifts, rebates or benefits from clients and counterparties. The VATP operator, its associated entity and their respective employees are allowed to accept gifts, rebates or other benefits from clients or other counterparties, provided the internal policies are in place and complied with.

A VATP operator must not provide any financial accommodation for its clients to acquire virtual assets, and must not give gifts, commission rebates or other benefits as part of the solicitation or recommendation of a virtual asset (other than a discount on fees and charges).

6. No cooling-off period

As investor suitability must be conducted by the VATP operator before client onboarding, there is no additional requirement to have a cooling off period. This is acknowledgement of the potential difficulties in unwinding or cancelling transactions in automated trading if there was a cooling-off period in which matched trades could be unwound or cancelled.

7. Insurance or compensation arrangement

Coverage requirements can be met by insurance or by compensation funds. Coverage requirements differ according to whether tokens are saved in hot storage or cold storage.

Cold storage. If 98% of client virtual assets will be held in cold storage, then the coverage threshold for client virtual assets held in cold storage is 50%. This reflects the lower risks associated with tokens in cold storage, and aligns those risks to the custody risks in traditional financial markets.

Hot storage. Client virtual assets in hot wallets must be fully covered. Virtual assets held in hot storage are more susceptible to hacking and other cybersecurity risks.  A VATP operator should hold less than 2% of the client’s virtual assets in hot storage.

Compensation funds can be in the form of bank guarantees, demand deposits or fixed deposits with a maturity of six months or less. It is also acceptable to have reserve virtual assets instead of traditional monetary products. Compensation funds should either be subject to third-party escrow arrangement or set aside by the platform operator on trust. The over-riding requirement is that the compensation funds are segregated from the assets of the VATP operator and its associated entity. VATP operators are permitted to establish a pool of funds jointly or individually in the form of an insurer to compensate clients in the event of losses.

8. Custody of client virtual assets

Client virtual assets must be held by a wholly-owned subsidiary of the platform operator i.e. its associated entity. All seeds and private keys must be stored in Hong Kong. The seeds and private keys should be generated offline and kept in a secure environment in accordance with international security standards and best practices. Access to seeds and private keys relating to client virtual assets should be on exceptional restricted access among a limited group of authorised personnel.

9. Proprietary trading

The SFC will only permit limited proprietary trading in the form of off-platform back-to-back transactions[41]. All other proprietary trading is prohibited. It is permitted for third party VATP operators to conduct market-making activities to increase the liquidity of a trading platform.

10. Algorithmic trading and other services

VATP operators are prohibited from providing algorithmic trading services to its clients. However, the VATP operator’s clients can use their own algorithmic trading system via the trading platform.

Trading in virtual asset derivatives is not currently permitted. Other virtual asset-related services such as earning, deposit-taking lending and borrowing are also not permitted.

11. AML/CTF matters

The Travel Rule: The Travel Rule requires that VATP operators (whether acting as the ordering institution or the beneficiary institution) must obtain and hold certain required information about the originator and recipient in relation to virtual asset transactions. This is an important measure to facilitate sanctions screening and transaction monitoring. The current requirement is that VATP operators must submit the required information to the beneficiary institution as soon as practicable (instead of “immediately”) after transfer of the virtual asset is made. However, this interim measure will only last until 1 January 2024.

VATP operators operating with unhosted wallets are subject to similar requirements, and must also obtain the required information from the customer and conduct sanctions screening. They should ascertain the ownership or control of the unhosted wallet on a periodic and risk-sensitive basis, and only accept transfers from reliable unhosted wallets having regard to the screening results of the virtual asset transactions and the associated wallet addresses.

Screening of VA transactions and associated wallet addresses: Screening should be performed:

(a) before conducting a VA transfer or before making the assets available to the customer, and

(b) after conducting the transfer on a risk sensitive basis.

VA transfer counterparty due diligence: Counterparty due diligence measures should be applied on a risk-based approach, taking into account factors such as the types of products and services offered by the counterparty, the types of customers it serves, and the AML/CFT regime in the jurisdiction that it operates. There should be ongoing monitoring of the virtual asset counterparty in respect of virtual asset transfers on a risk-based approach.

Returning virtual assets: If the required information for a virtual asset transfer is lacking and there is a potential breach of the Travel Rule if the transfer proceeds, then the VATP operator should only return the virtual assets where appropriate and where there is no suspicion of ML/TF. The return should be made to the account of the ordering institution, rather than the originator’s account.

12. Capital requirements

Share capital: A minimum of HK$5 million paid-up share capital.

Liquid capital: The higher of HK$3 million or the basic amount[42].

Working capital/liquid assets: Liquid capital in the form of cash, deposits, treasury bills and certificates of deposit (but not virtual assets) equivalent to at least 12 months of its actual operating expenses calculated on a rolling basis.

13. Other requirements

Responsible officers. At least two responsible offers, of whom at least one should be an executive director.

Managers-in-charge. As with other licensed corporations, individuals with sufficient decision-making authority should be responsible for eight core functions, being (i) overall management oversight, (ii) key business line, (iii) operational control and review, (iv) risk management, (v) finance and accounting, (vi) information technology, (vii) compliance and (viii) anti-money laundering and counter-terrorist financing. The same person can be appointed as the MIC for different core functions, and two or more persons may be appointed on a joint basis for one single core function. The SFC expects that responsible officers will also be the MICs in respect of the two core functions of Overall Management Oversight and Key Business Line.

Cybersecurity. At least one responsible officer should be responsible for the overall management and supervision of the platform, and be responsible for the cybersecurity of the platform, including conducting an independent cybersecurity assessment before launch.

Independent audit function is required to examine, evaluate and report on the adequacy, effectiveness and efficiency of the management, operations and internal controls of the platform.

Location of IT and data system. Preferably in Hong Kong.

Application process and timeline

Prospective VATP applicants are required to obtain external assessments, in two phases, in respect of their business. The purpose of the external assessment report is to assist the VATP applicant to understand the requirements of the SFC for system implementation, and to identify enhancements or rectification measures that are necessary and appropriate to meet those requirements. This process may take six to twelve months depending on the sophistication and preparedness of the platform.

After the first phase of external assessment is conducted, the VATP applicant can submit the Phase 1 report along with the streamlined licence application pack and application fees.

If the SFC is satisfied with the Phase 1 report, the SFC will undertake its review process that will lease to an approval-in-principle. The second phase external assessment report can be submitted after the approval-in-principle is granted.

The processing time for the VATP licence varies depending on a number of factors, including:

  • the quality and completeness of the application and supporting documents;
  • the types of services/products being offered;
  • the adequacy of the internal control measures;
  • the time taken for capital injection to meet the financial requirements;
  • response time to provide any further information during the assessment process; and
  • the number of applications the SFC is processing at the material time.

We estimate that the processing time is likely to take at least 12 months from the acceptance of the Phase 1 report by the SFC.

Conclusion

The regulatory bar to being licensed as a VATP operator is high. The process to conducting a licence application is long and costly, and may not result in success. Once licensed, the ongoing obligations are many and onerous. This is a licence for the few, not the many.

However, the VATP licensing regime is a key to unlocking the future possibilities of digital assets in a global financial centre with deep experience in financial markets. That is a door worth opening.

Part 5: The VATP Guidelines

As part of its application for a virtual asset trading platform (VATP) licence in Hong Kong, the applicant must demonstrate full compliance with conditions and guidelines set out in the Guidelines for Virtual Asset Trading Platform Operators (“VATP Guidelines”) published by the SFC. This is required both to obtain the VATP licence, and then as a continuing obligation to maintain the licence.

The VATP Guidelines cover a wide range of areas. Some are familiar requirements for licensed corporations. Others are specific, or especially relevant, for VATPs. We will focus upon the more specific requirements for VATPs.

Fit and proper requirements

The licensed corporation, and its responsible officers and licensed representatives, must satisfy the SFC that they are fit and proper to be licensed, and they must continue to be fit and proper. The SFC will consider:

(a) financial status or solvency;

(b) educational or other qualification or experience;

(c) ability to carry on relevant activities competently, honestly and fairly; and

(d) reputation, character, reliability and financial integrity.

Persons are generally expected to be able to display an understanding of virtual assets and the virtual asset market.

The SFC also expects non-executive directors, key personnel (managers, officers, directors and chief executives), substantial shareholders, ultimate owners and other controllers to meet the requirements of being fit and proper.

Competence

Competence requirements apply both to the intended licensed corporation and the individuals who will be responsible officers or licensed representatives.

The SFC will require information, documents and data to assess the competence of the corporation. The areas of focus will include:

Business: Business lines, clients, products, services, remuneration model and business risk analysis;

Corporate governance: Chain of ownership and voting power; skills, experience and competence of board of directors and senior management; and policies and procedures for effective management;

Staff competence: Qualifications and suitability of responsible officers, licensed representatives, managers-in-charge and other supervisory staff of both front and back office;

Internal controls: Requirements to have proper documentation, audit trails and reporting systems; systems to ensure data integrity;

Operational review: Organisational structure to ensure personnel engaged in operational review roles are independent of core business functions, and have a separate and independent reporting line;

Risk management: Policies and procedures are in place to set proper exposure limits, to monitor risks and to deal with exceptions to risk limits; and

Compliance: Systems are in place to ensure compliance with legal and regulatory requirements and internal policies and procedures, and to address and resolve conflicts of interest.

The corporation competence requirements highlight that two key appointments will be:

(a) qualified information technology manager appropriately experienced to maintain the integrity of the corporation’s operating systems; and

(b) an independent risk manager with appropriate qualifications and authority to oversee and monitor the corporation’s risk exposures and systems. The SFC expects there to be clear segregation of duties, and the responsibilities of the risk manager should be clearly separated from that of front office personnel. The SFC also expects that, in most circumstances, more than one person will need to be appointed.

The SFC has given some consideration in its competence assessment for individuals to account for the recency of virtual assets as an asset class, and of regulation in the virtual asset space generally. The SFC will expect the individual to have relevant industry experience. This means hands-on working experience acquired by carrying on of the relevant activities in Hong Kong or similar activities regulated elsewhere. However, the SFC will consider experience gained in a non-regulated situation, for example, where the experience is relevant but the related activities were exempted from licensing requirements in Hong Kong or elsewhere. Also, the SFC may recognise an individual’s previous direct experience in technology as relevant industry experience if the individual has been a key person in developing, or ensuring the proper and continued functioning of, a technology, platform or system (ie, not merely providing system support) which is central to the VATP operated by the licensed corporation.

As with other regulated activities, applicants may need to pass local regulatory framework papers, depending on their academic and industry qualifications and experience.

Continuing Practical Training (CPT)

Licensed corporations must plan and implement a continuous education programme for the purpose of training employees and enhancing industry knowledge, skills and professionalism. Topics to be covered include fintech and virtual assets, cybersecurity, and risk management. The training programmes should be evaluated at least once a year.

The minimum annual requirement is twelve CPT hours for responsible officers and ten CPT hours for licensed representatives, with at least five CPT hours out directly relating to the relevant activities. Two CPT hours per year must be completed on ethics-related subjects.

Financial Soundness

A licensed VATP operator must maintain in Hong Kong assets which it beneficially owns and sufficiently liquid, equivalent to at least 12 months of its actual operating expenses calculated on a rolling basis. The examples provided by the SFC for qualifying assets include cash, deposits, treasury bills and certificates of deposit, but exclude virtual assets.

A licensed VATP operator must maintain a minimum paid-up share capital of not less than HK$5 million, and maintain liquid capital that exceeds the required liquid capital under applicable financial resources rules. A licensed VATP operator must submit monthly and annual financial returns to the SFC. These reports include details of the calculation of liquid capital and required liquid capital, summary of bank loans, advances and other credit facilities and analysis of client assets as well as its profit and loss account.

A licensed VATP operator must notify the SFC in writing and as soon as reasonably practicable upon becoming aware of a number of matters indicating an adverse liquidity or financial situation. The more notable events include:

  • an inability to maintain sufficient assets, the paid-up share capital or liquid capital as required by regulation;
  • the liquid capital falling below 120% of its required liquid capital;
  • the liquid capital falling below 50% of the liquid capital stated in the last SFC return; and
  • not being able to meet any calls or demands for repayments for three consecutive business days.

Operations

Due diligence: A licensed VATP operator must perform all reasonable due diligence on virtual assets before admission to trading on the platform. The due diligence should cover:

  • the background of the management or development team of the virtual asset;
  • the regulatory status of the virtual asset in Hong Kong;
  • the supply, demand, maturity and liquidity of a virtual asset (except for a security token);
  • the technical aspects of a virtual asset;
  • the market and governance risks of a virtual asset;
  • the legal, money laundering and terrorist financing risks associated with the virtual asset and its issuer (if applicable); and
  • the enforceability of rights extrinsic to the virtual asset (e.g. rights to any underlying assets), and the potential impact of the virtual asset’s trading activity on the underlying markets.

The virtual asset must be of high liquidity. A platform operator should select virtual assets that are eligible large-cap virtual assets. This means the virtual asset must have been included in a minimum of two acceptable indices issued by at least two different index providers. The two index providers should be independent of each other, and one of them must have experience in publishing indices in respect of conventional securities.

A licensed VATP operator must select and appoint an independent assessor to conduct an independent smart contract audit for smart-contract based virtual assets, unless the VATP operator can justify relying on an audit conducted by an independent assessor appointed by a third party. The VATP operator must conduct ongoing monitoring of trading, and provide regular review reports to the token admission and review committee.

Token admission and review committee: A licensed VATP operator must establish a token admission and review committee to establish, implement and enforce:

(a)  the criteria for admitting a virtual asset for trading;

(b) the criteria for suspending and withdrawing a virtual asset from trading; and

(c) the obligations of and restrictions on virtual asset issuers.

The committee should report to the board of directors of the VATP operator at least monthly and inform the board in cases of suspension and withdrawal of virtual assets. The criteria for admitting, suspending and withdrawing a virtual asset for or from trading should be transparent and fair and disclosed on the website of the operator.

Offering of virtual assets: The SFC has a strong preference that a VATP operator is licensed both under the SFO regime for virtual assets that are securities, and the AMLO regime for other virtual assets. If a VATP operator is not dual-licensed, it should be cautious that the virtual assets admitted for trading are not securities within the meaning of the SFO. If a VATP operator is dual-licensed and virtual assets are securities, then it must make sure that the offering complies with applicable laws in Hong Kong on the prospectus requirements for offering of shares and debentures and on offers of investments for other securities and investment products.

A licensed VATP operator must implement restrictions, access rights and controls to prevent retail investors accessing information or trading in virtual assets in breach of the offering regime under Hong Kong law.

Order recording and handling: A licensed VATP operator must record the particulars of all order instructions. Telephone records should be maintained for at least six months. The trade orders should be executed fairly, in the order in which they are received and in the best available terms. 

Trading of virtual assets: A licensed VATP operator must implement trading and operational rules in relation to on-platform trading and off-platform trading (where applicable), and must establish and maintain policies and procedures to prevent or detect trading errors, omissions, fraud and other unauthorised or improper trading activities.

A licensed VATP operator should execute a trade for a client only if there are sufficient fiat currencies or virtual assets in the client’s account with the VATP operator to cover the trade, except for institutional professional investors for virtual asset trades that are independent of the VATP operator, the client and their respective corporate groups.

A licensed VATP operator must not provide any financial accommodation for clients to acquire virtual assets nor gifts, commission rebates or other benefits (other than a discount of fees/charges) as part of the solicitation or recommendation of a virtual asset. A licensed VATP operator should not provide algorithmic trading services to its clients.

Market access: If a licensed VATP operator gives API access to clients, then the VATP operator must provide thorough and detailed documentation to clients.

Prevention of market manipulation

Internal controls: A licensed VATP operator must implement written policies and controls for surveillance of trading activities to prevent and report any market manipulation or abusive trading activities. The operator must notify the SFC as soon as practicable upon becoming aware of such activities, even if there is a potential risk only.

Market surveillance system: A licensed VATP operator must adopt an effective external market surveillance system to identify, monitor and detect any market manipulation or abusive trading activities. The surveillance system must be reviewed at least annually. The review report must be submitted to the SFC upon request.

Dealing with Clients

Access to trading services: There should be systems in place to ensure that persons banned from trading in virtual assets in other jurisdictions do not have access to trade in Hong Kong. A licensed VATP operator must conduct an investor knowledge assessment before opening an account for them, but this requirement does not apply to institutional and qualified corporate professional investors.

Know your client: Other than institutional and qualified corporate professional investors, a licensed VATP operator must:

(a) establish the true and full identity, the financial situation investment experience and objectives of its clients;

(b) conduct a risk profile and tolerance assessment using proper and appropriate methodology; and

(c) set a limit in respect of a client’s exposure to virtual assets based on the client assessment conducted.

The risk profiling and assigned limit should be reviewed and updated periodically.

Client identity: A licensed VATP operator should obtain the identity, address and contract details of the person or entity who originates the instruction, and the person or entity that stands to gain the commercial or economic benefit from the transaction (or bear the commercial or economic risk or both).

Client agreement:Except for institutional and qualified corporate professional investors, a written client agreement should be in place before services are provided in which a description of the services to be provided and the risk disclosure statements should be stated or provided. In particular, the client agreement must contain the prescribed standard clause on the suitability of the recommendation. The VATP operator is prohibited from including any client acknowledgement that the client has not relied on any recommendation made or advice given by the VATP operator.

Suitability obligations: A licensed VATP operator must provide sufficient factual, fair, balanced and up-to-date information on the features and risks of the virtual assets on its website to enable clients to make an investment decision.

A licensed VATP operator should conduct a suitability assessment before making recommendations or solicitations to clients (except for institutional and qualified corporate professional investors) to assess whether the recommendation or solicitation is reasonable in light of the client’s personal circumstances, risk profile and concentration risk. Mechanically matching a virtual asset’s risk rating with a client’s risk tolerance level may not be sufficient to discharge the suitability obligation.

A licensed VATP operator must determine whether a virtual asset is complex or non-complex with due skill, care and diligence. Suitable warning statements must be clearly made to clients (other than institutional and qualified corporate professional investors) prior to execution of a trade for complex products.

Opening of multiple accounts: Multiple accounts for the same client should be discouraged, except for sub-accounts in respect of a single client.

Disclosure: The website of the licensed VATP operator must include certain prescribed information, of which some notable disclosures include:

(a) trading and operational rules, and token admission and removal rules and criteria;

(b) admission and trading fees and charges, with illustrative examples;

(c) relevant information of a virtual asset admitted for trading:

(i) trading price and volume in the last 24 hours and since admission for trading;

(ii) information on the management or development team of the virtual asset; and

(iii) material terms and features of the virtual asset;

(d) link to the virtual asset’s official website and smart contract audit report (if any)

(e) market models, order types, trading rules and deposit and withdraw processes of virtual assets and fiat currencies (if applicable);

(f) the rights and obligations of clients and the VATP operator, including the client’s liability for unauthorised transactions;

(g) circumstances under which the platform operator may disclose information to third parties; and

(h) dispute resolution mechanisms and system upgrades and maintenance schedules.

Clients are entitled to inquire as to the financial condition of the business and request for copies of the latest audited financial statements and other relevant information.

Client confirmations:Before executing a transaction, a licensed VATP operator must confirm the particulars of the transaction (such as the name of the virtual asset, amount and value of the transaction) and give a warning that once executed the transaction may not be undone. After the transaction is executed, a VATP operator should confirm promptly the particulars of the transaction executed (including the fees and charges levied on the client).

Client reporting: Contract notes should be provided to clients within two business day after entering into the contract. A monthly statement of account should be delivered, which must set out the outstanding balance of the account, details of all relevant contracts and movements of client’s virtual assets and the quantity and market value of each client virtual asset in the client account. The receipt of client asset from a client should be acknowledged in a written receipt within two business day after receipt.

Custody of Client Assets

Most client asset obligations are organised by the holding of client assets by an associated entity of the licensed VATP operator. An associated entity must be a wholly owned subsidiary of the VATP operator, incorporated in Hong Kong and holding a trustee and corporate service provider licence under AMLO. The associated entity must not conduct any business other than receiving or holding client assets on behalf of the licensed VATP operator.

Handling of client virtual assets/money: A licensed VATP operator should only hold client assets on trust for its clients through its associated entity. The VATP operator and its associated entity must have procedures in place to protect client assets from theft, fraud and other acts of misappropriation. They must review and approve reconciliation of client assets efficiently and promptly. Material discrepancies must be escalated to the senior management in a timely manner.

Client virtual assets: A licensed VATP operator must ensure that client virtual assets are properly safeguarded in the wallet addresses which are established by its associated entity, and which are designated solely for holding the client virtual assets only. The client virtual assets should be segregated from the assets of the VATP operator and its associated entity.

The licensed VATP operator and its associated entity must store 98% of client virtual assets in cold storage, except for limited circumstances permitted on a case-by-case basis by the SFC. The VATP operator and its associated entity must have proper procedures to control access to cryptographic devices for authorisation and validation (including key generation, distribution, storage, use and destruction), and to determine how to deal with events such as voting, hard forks or airdrops from an operational and technical perspective. Each transfer of virtual assets between hot, cold and other storages should be properly documented.

A licensed VATP operator must only permit deposit and withdrawals of client virtual assets through any wallet address that belongs to the client and is whitelisted by the VATP operator (except under limited circumstances specified by the SFC).

A licensed VATP operator must have proper internal controls and governance procedures for private key management to ensure cryptographic seeds and private keys are securely generated, stored and backed up. These must be securely stored in Hong Kong. Access to seeds and private keys relating to client virtual assets should be limited to the minimum authorised personnel. No single person should have possession of information or access to the entirety of the seeds and private keys or backup passphrases.

Any decision to suspend the withdrawal of client virtual assets must be reasonable and the VATP operator must inform the SFC of any such decision without delay.

Client money: The associated entity of a licensed VATP operator must establish segregated accounts with an authorised financial institution in Hong Kong, and deposit any client money received into the segregated account within one business day after the receipt. No client money should be paid to any employees of the VATP operator or its associated entity, unless that employee is the client.

A client may give a licensed VATP operator or its associated entity a standing authority to deal with client assets. The standing authority may be renewed under a “negative consent” procedure, but any renewal must be confirmed in writing.

Disclosure to clients: A licensed VATP operator or its associated entity must fully disclose to its clients the custodial arrangements in relation to the client assets they are holding on behalf of their clients. This includes informing clients of the compensation policy in case of hacking or loss of client assets, and the rights and entitlements of the clients where events such as voting hard forks and airdrops occur.

Ongoing monitoring: A licensed VATP operator should conduct regular internal audits to monitor its compliance with custody requirements. Non-compliance issues should be escalated to senior management. The VATP operator should also regularly review and deal with inactive or dormant accounts.

Insurance/compensation: A licensed VATP operator must have a compensation arrangement in place to cover the potential loss of 50% of client virtual assets in cold storage and 100% of client virtual assets in hot or other storage. This can be in the form of, or a combination of:

  • third party insurance;
  • bank guarantee; or
  • funds (in the form of a demand deposit or time deposit with a maturity period of six months or less) or virtual assets of the platform operator or its group.

A licensed VATP operator must monitor on a daily basis the total value of client virtual assets under custody in order to maintain the compensation threshold. Any shortage of the coverage of the compensation should be notified to the SFC, and prompt remedial measures must be taken.

Management and supervision

Responsibilities of senior management: The senior management of a platform operator must assume the full responsibility for the operations of the licensed VATP operator and of its associated entity.

Segregation of duties: The duties and functions (such as sales, compliance, settlement and accounting functions) of a licensed VATP operator must be segregated from those of its associated entity. Compliance and internal audit functions must be segregated from and independent of the operational functions.

Risk management: The licensed VATP operator must establish and maintain an independent risk management function to monitor the implementation of risk management policies and procedures and regularly review these policies and procedures. The senior management should be provided with exposure reports on a regular basis, and be notified of material exposures promptly.

Compliance: There should be an effective and independent compliance function to establish, maintain and enforce policies and procedures to ensure compliance with applicable legal and regulatory laws, rules, regulations and codes. All occurrences of material non-compliance should be promptly reported to the senior management, and to the SFC where applicable.

Internal audit: There should be an independent audit function to evaluate and report on the adequacy, effectiveness and efficiency of the management, operations and internal controls of the licensed VATP operator and its associated entity. The internal audit function should adequately plan, control and record all audit and review work performed. There should be a direct line of communication to the senior management or the audit committee of the VATP operator (if applicable). The findings and recommendations should be reported directly to the senior management of the VATP operator.

Complaints: There should be policies and procedures in place to ensure complaints are properly handled, the investigative powers are outlined and appropriate remedial actions are taken. 

Cybersecurity

The licensed VATP operator must have written policies and procedures in place for the design, development, operation and modification of the platform (including the trading system and custody infrastructure). There should be sufficient human, technology and financial resources to ensure the smooth operation of the platform (including the monitoring of cybersecurity threats and attacks). There should be regular stress tests to the capacity of the platform, and there must be back ups of the platform databases to an offline medium at least on a daily basis.

A licensed VATP operator must arrange for a technology audit to be conducted by a qualified independent professional at least once a year. The VATP operator should also conduct a stringent independent cybersecurity assessment (on areas such as wallet security and network/system security) before the launch of the platform or deploying modifications to the platform, and then on a regular basis.

A licensed VATP operator must have at least one responsible officer designated to be responsible for the overall management and supervision of the platform and setting out a cybersecurity management framework. Where the platform is provided by or outsourced to a third party service provider, then the VATP operator must have a service-level agreement with the service provider. However, the ultimate responsibility for compliance with the VATP Guidelines remains with the VATP operator.

Conflicts of interest

A licensed VATP operator and its associated entity must avoid any material interest in a transaction with or for a client which gives rise to conflicts of interest (actual or potential). If an actual or potential conflict of interest cannot be avoided, the VATP operator must make prior disclosure to the client and take all reasonable steps to manage the conflict and ensure fair treatment to the client.

A licensed VATP operator should not engage in market making activities on a proprietary basis. The VATP operator should not engage in proprietary trading in virtual assets for its own account or any account in which it has an interest, except for off-platform back-to-back transactions[43].

Employees of a licensed VATP operator or its associated entity are permitted to deal in virtual assets for their own accounts, provided proper internal policies and protocols are complied with.

Record keeping

A licensed VATP operator and its associated entity must establish policies and procedures to ensure the integrity, security, availability, reliability and completeness of all information, both in physical and electronically stored form, in relation to their activities. The records should cover business, accounting, financial and trading records as well as receipts, payments, deliveries in relation to client assets. These records should be reconciled on a monthly basis.

Certain records must be kept for at least seven years. These include:

  • records of assets and liabilities;
  • money and income received;
  • bank accounts held;
  • expenses, commission and interest incurred;
  • virtual assets held by it;
  • disposals of client virtual assets;
  • wallet addresses from which virtual assets were received and to which withdrawals were made;
  • contracts entered into;
  • suitability assessments;
  • reconciliations;
  • monthly statements of account;
  • client records; and
  • complaints.

Certain documents must be kept for at least two years after the close down of a platform or system of the platform operator. These include documentation relating to the design, development and operation of the platform, updates to the system, and risk management controls. 

Auditors

A licensed VATP operator must exercise due skill, care and diligence in the selection and appointment of the auditors to perform an audit of the financial statements of the VATP operator and its associated entity. The audit report must report on any failure to comply with requirements in relation to financial soundness, custody of client assets and record keeping.

Ongoing reporting obligations

The VATP Guidelines contain a significant and lengthy list of information which must be included in an application for a VATP licence, and for which notifications of changes are required. Some notable notification obligations of a licensed VATP operator include notification of:

  • proposed changes to the operations of the platform;
  • a material failure, error or defect in the operation of the trading, custody, accounting, clearing and settlement systems;
  • a material breach or non-compliance with applicable law, rules, codes and guidelines;
  • the appointment of a receiver, (provisional) liquidator or administrator to the VATP operator or its associated entity;
  • the VATP operator or its associated entity being wound up; and
  • the directors of the VATP operator or its associated entity being bankrupt.

Strict compliance required

The VATP Guidelines are lengthy, amounting to 115 pages of tightly formatted small font regulation. This is a thumbnail sketch of the more important obligations. An applicant for a VATP licence must fulfil these obligations upon grant of the licence, and the application process is designed to assess whether the applicant is able to do so.

It will not suffice to adopt the VATP Guidelines with minor changes, and present that to the SFC for the licence application. The VATP Guidelines are not a destination; they are the starting point. The regulatory requirements must be parsed, assessed and customised to the specific operating business of the VATP operator. The VATP Guidelines contemplate a number of policies, procedures and processes. These must all be documented and adapted to the operating needs of the VATP operator.

Compliance with the VATP Guidelines is not a paper-only exercise. Baked into the VATP Guidelines are requirements for external audit and assessment of various aspects of the business. Also, the phase two report of the qualified external assessor in the VATP licence application process is intended to be the granular assessment confirming full compliance with SFC requirements (including the VATP Guidelines) before the grant of the VATP licence.

These are onerous and prescriptive regulatory obligations. Applicants should carefully consider their resources, capacity and ability to meet the standards required. A VATP licence grants entry to the virtual asset arena in Hong Kong, which is developing into a key Web3 and digital asset centre. Compliance with law and regulation is the price of entry.

Conclusion

We have focussed in this article on the regulatory regime of VATPs in Hong Kong. However, VATP regulation is one part of a range of regulation applying in Hong Kong as it positions itself as a virtual asset hub. There are, or soon will be, regulatory frameworks for stablecoin issuers, OTC trading of virtual assets, and tokenised securities. However, it is clear that licensed VATPs will be at the core of the contemplated regulatory framework for virtual assets in Hong Kong. We, at Tanner De Witt, are well positioned to advise and assist clients on their individual virtual asset regulatory journey.

Pádraig Walsh and Shirley Kong

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 28 February 2024.


[1] See FATF, Virtual Currencies: Key Definitions and Potential AML/CFT Risks (June 2014)

[2] See FATF, Guidance for a Risk-Based Approach to Virtual Currencies (June 2015)

[3] See in particular, FATF, Interpretive Note to Recommendation 15 (June 2019)

[4] Chapter 615, Laws of Hong Kong

[5] See IOSCO, Research Report on Financial Technologies (Fintech) (February 2017)

[6] See IOSCO, Consultation Report on Issues, Risks and Regulatory Considerations Relating to Crypto-Asset Trading Platforms (May 2019)

[7] See IOSCO, Consultation Report on Policy Recommendations for Crypto and Digital Asset Markets (May 2023)

[8] See FSB, Crypto-asset markets: Potential channels for future financial stability implications (10 October 2018)

[9] See FSB, Assessment of Risks to Financial Stability from Crypto-Assets (16 February 2022)

[10] SFC sets out new regulatory approach for virtual assets [link]

[11] See SFC, Statement on regulatory framework for virtual asset portfolios managers, fund distributors and trading platform operators [link] and the charmingly title SFC, Conceptual framework for the potential regulation of virtual asset trading platform operators [link] (both 1 November 2018)

[12] Fintech: a regulatory strategy for a dynamic industry Keynote speech at Hong Kong FinTech Week 2019 [link]

[13] Chapter 571, Laws of Hong Kong

[14] See SFC, Position paper: Regulation of virtual asset trading platforms (6 November 2019) [link]

[15] Virtual asset trading platforms operators [link]

[16] Guidelines for Virtual Asset Trading Platform Operators [link]

[17] Guideline on Anti-Money Laundering and Counter Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers)[link]

[18] Policy Statement on Development of Virtual Assets in Hong Kong [link]

[19] See FATF, Updated Guidance for a Risk-Based Approach: Virtual Assets and Virtual Asset Service Providers (2021) [link]

[20] See this link for the text of MiCA adopted by the EU Parliament in April 2023.

[21] Section 53ZRD(1) and (2), AMLO

[22] Cap. 615, Laws of Hong Kong

[23] Section 53ZRA(1), AMLO

[24] Chapter 571, Laws of Hong Kong

[25] Chapter 584, Laws of Hong Kong

[26] Section 53ZRA(2), AMLO

[27] Section 53ZR, AMLO

[28] Section 53ZR, AMLO

[29] Section 53ZR, AMLO

[30] Schedule 3B, AMLO

[31] Section 53ZR, AMLO

[32] See SFC, Consultation Paper on the Proposed Regulatory Requirements for Virtual Asset Trading Platform Operators Licensed by the Securities and Futures Commission (20 February 2023) [Link]

[33] Section 53ZRD(1) and (2), AMLO

[34] Section 53ZRD(3) and (4), AMLO

[35] Section 53ZRB(1)(a), AMLO

[36] Section 53ZRB(1)(b), AMLO

[37] Section 53ZRE(1)(a) and (b), AMLO

[38] See FSTB, Consultation Conclusion: Public Consultation on Legislative Proposals to Enhance Anti-Money Laundering and Counter-Terrorist Financing Regulation in Hong Kong (May 2021) [link]

[39] Cap. 571, Laws of Hong Kong

[40] Cap. 615, Laws of Hong Kong

[41] Off-platform back-to-back transactions refer to transactions where a platform operator, after receiving (a) a purchase order from a client, purchases a virtual asset from a third party and then sells the same virtual asset to the client; or (b) a sell order from a client, purchases a virtual asset from the client and then sells the same virtual asset to a third party, and no market risk is taken by the platform operator.

[42] The “basic amount” is defined in Section 2 of the Financial Resources Rule which refers to 5% of the aggregate of: (a) the licensed corporation’s adjusted liabilities, (b) the aggregate of the initial margin requirements in respect of outstanding futures contracts and outstanding unlisted options and (c) the aggregate of the amounts of margin required to be deposited in respect of outstanding futures contracts and outstanding unlisted options contracts to the extent such contracts are not subject to payment of initial margin requirements.

[43] Off-platform back-to-back transactions refer to transactions where a platform operator, after receiving (a) a purchase order from a client, purchases a virtual asset from a third party and then sells the same virtual asset to the client; or (b) a sell order from a client, purchases a virtual asset from the client and then sells the same virtual asset to a third party, and no market risk is taken by the platform operator.