Source: https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2024/20240220e4.pdf
In Hong Kong, the introduction of the Virtual Asset Service Provider (VASP) licensing regime has opened up exchange services to retail investors for the first time, marking a significant advancement in the virtual asset field in Hong Kong. This new regime has not only attracted numerous platforms and institutions to apply for licenses but has also introduced stricter compliance requirements to ensure the proper protection of investors’ assets. Specifically, the Securities and Futures Commission (SFC) in Hong Kong requires exchanges to hold customers’ funds and virtual assets in trust through wholly-owned subsidiaries, meaning that exchanges need to hold both the VASP license and the Trust or Company Service Providers (TCSP) trust license. The TCSP license plays a crucial role in this framework and provides a new business scenario for the independent custody of virtual assets, ensuring the security and independence of assets.
Recently, the U.S. Securities and Exchange Commission (SEC) approved a Bitcoin spot ETF, with Coinbase being one of the eight custodians. This not only promotes the growth of its revenue but also signifies that digital asset custody has become a key area of competition for established institutions. On February 20, 2024, the Hong Kong Monetary Authority (HKMA) issued guidelines on digital asset custody activities, providing clear standards for governance and risk management, client asset segregation and protection, delegation and outsourcing for institutions applying for the TCSP license for virtual asset custody services.
In terms of standalone virtual asset custody business, the High Court of Hong Kong has confirmed in the case of Re Gatecoin Ltd [2023] HKCFI 914 that virtual assets are considered “property” and can be subject to trust arrangements. Therefore, if the relevant virtual asset custody business involves “express trusts or similar legal arrangements” for virtual assets, custodians must obtain the TCSP license issued by the Companies Registry of Hong Kong, such as wallets and custodians.
I. Latest Application Policy for Hong Kong Virtual Asset Custody Service Providers (TCSP)
A. Conditions for applying for the Hong Kong TCSP license
According to the Virtual Asset Service Provider Licensing Regime, the following conditions must be met to apply for the Hong Kong TCSP license:
– A company registered and incorporated in Hong Kong
– Good financial standing and reputation
– Adequate personnel and systems to manage virtual asset business (refer to the latest HKMA guidelines on digital asset custody activities for specific requirements)
– Establishment and implementation of effective policies and procedures to combat money laundering and terrorist financing
B. Application process for the Hong Kong TCSP license:
1. Prepare application materials
2. Submit the application to the SFC
3. SFC reviews the application
4. SFC decides whether to issue the license
C. Required documents for applying for the Hong Kong TCSP license include:
– Application form
– Company registration documents
– Proof of financial standing
– List of personnel and resumes
– Policies and procedures to combat money laundering and terrorist financing
– Business plan
– Technical architecture
– Risk management measures (refer to the latest HKMA guidelines on digital asset custody activities for specific requirements)
– Other materials required by the SFC
D. SFC’s review of the application includes:
– Reviewing the completeness of the application materials (refer to the latest HKMA guidelines on digital asset custody activities for specific requirements)
– Reviewing whether the applicant meets the conditions
– Conducting on-site visits to the applicant
E. Review timeline
The SFC will make a decision on the application within 6 months. If the SFC decides to issue the license, it will be issued to the applicant.
F. The latest policy introduces the following new requirements for applying for the Hong Kong TCSP license:
– The applicant must have a minimum registered capital of HKD 5 million.
– The applicant must hire at least two licensed responsible officers (RO) responsible for overseeing the compliance of virtual asset business.
– The applicant must establish and implement effective risk management measures, including KYC/AML policies, transaction monitoring, information security, etc.
II. Summary of the Hong Kong Monetary Authority’s Guidelines on Digital Asset Custody Activities issued on February 20, 2024 (refer to the guideline link for details)
A. Governance and risk management
Institutions should have sufficient resources, including expertise and manpower, to support effective governance and risk management. Additionally, considering the rapid changes in the digital asset industry, authorized institutions should provide ongoing training to employees involved in custody services to ensure they have the necessary knowledge and skills.
To ensure the security and independence of customers’ digital assets, authorized institutions must strictly segregate these assets from their own assets and hold them in designated customer accounts. This measure aims to protect customer assets and prevent them from being used to repay institutional debts in the event of bankruptcy or dissolution.
C. Protection of customers’ digital assets
Authorized institutions are responsible for ensuring the adequate protection and proper management of customers’ digital assets by establishing robust systems and control measures to prevent asset loss, theft, fraud, or any form of unauthorized access. This includes adopting a risk-based approach to assess and address various security threats, especially when using different types of distributed ledger technology (DLT), considering the potentially higher security risks associated with public permissionless networks.
Ensure authorization and verification in the processes of accessing, transferring, and managing customers’ digital assets, especially in the secure management of seeds and private keys, covering their generation, distribution, storage, use, and destruction.
Strictly audit and track access to storage devices and applications, as well as establish off-site backups and emergency plans for mnemonic phrases and private keys to ensure the security and recoverability of these critical information.
In the field of virtual asset custody, authorized institutions face the important decision of selecting suitable partners for delegating or outsourcing custody functions. The fundamental principle requires that these institutions only entrust custody tasks to authorized institutions or virtual asset trading platforms holding the relevant licenses. In particular, caution should be exercised when evaluating the delegation or outsourcing decision for tokens operating on public permissionless distributed ledger networks.
Ultimately, although delegation or outsourcing can bring efficiency and professionalism, authorized institutions still bear ultimate responsibility and accountability to ensure the security and compliant management of customer assets while maintaining the same level of systems and control standards as traditional financial activities.
E. Risk disclosure
Authorized institutions should disclose custody arrangements to their clients in a clear and understandable manner, including:
– The rights and obligations of the authorized institution and its clients, including clients’ ownership rights to their assets in the event of the authorized institution’s bankruptcy or liquidation.
– Custody arrangements, including the storage and segregation methods of clients’ digital assets, procedures and timeframes for accessing clients’ digital assets, and any applicable fees and costs.
– Compensation arrangements to cover potential losses of clients’ digital assets due to security incidents or misappropriation.
– The existence and nature of situations and arrangements where clients’ digital assets may be commingled with other client assets and the associated risks.
– The legal and/or beneficial ownership that authorized institutions will obtain for clients’ digital assets or any other ways of transferring, lending, mortgaging, re-mortgaging, or setting any security interests on clients’ digital assets, as well as the risks involved.
– The handling of clients’ digital assets in events such as voting, hard forks, and airdrops, as well as their corresponding rights and interests.
– Authorized institutions should fully and fairly disclose their custody arrangements to their clients, including the existence and nature of potential and/or actual conflicts of interest related to their custody activities.
F. Record-keeping and reconciliation of customers’ digital assets
Authorized institutions should maintain appropriate books and records for each customer to track and record ownership of customers’ digital assets, including the amount and types of assets owed to customers and the movement of assets between customer accounts. Regular and frequent reconciliations of customers’ digital assets should be conducted on a customer-by-customer basis, taking into account relevant off-chain and on-chain records. Any discrepancies should be promptly resolved and escalated to senior management as necessary.
Authorized institutions should establish systems and control measures to safeguard and protect all records related to custody activities and should provide these records to the Hong Kong Monetary Authority promptly upon request.
G. Anti-money laundering and counter-terrorist financing
Authorized institutions should ensure that their anti-money laundering and counter-terrorist financing (AML/CFT) policies, procedures, and controls effectively manage and mitigate any money laundering and terrorist financing risks associated with digital asset custody activities. Authorized institutions should comply with the “Guideline on Anti-Money Laundering and Counter-Terrorist Financing (Applicable to Authorized Institutions)” and the Hong Kong Monetary Authority’s AML/CFT guidance on digital asset custody activities.
H. Requirements for ongoing monitoring
Authorized institutions should regularly review their policies and procedures and conduct independent audits of their systems, controls, and compliance with applicable requirements for the custody of customers’ digital assets.
III. Difficulties and challenges
While the HKMA has provided clearer guidelines for virtual asset custody activities, reducing the need for speculation on the intentions of the Securities and Futures Commission (SFC), establishing a virtual asset custody service company that complies with the TCSP license requirements in Hong Kong is still a challenge. For exchanges and wallet institutions already in operation, this process requires not only the thorough construction of an IT infrastructure but also a deep understanding of regulatory policies, assurance of compliance, integration of anti-money laundering measures, establishment of security control systems, and the development of blockchain wallet technology. These tasks require extensive legal consultation, industry practice comparisons, and verification of operational feasibility.
In addition, the new policy in Hong Kong imposes higher requirements on the security of virtual assets, including the difficulty of obtaining full insurance coverage (which comes at a high cost, deterring many institutions), the time cost of establishing enterprise-grade custody technology trust and third-party custody credit, and the complexity of implementing regulatory requirements for independent account custody. These challenges highlight the complexity of establishing TCSP custody service providers in Hong Kong, but with careful planning and technological innovation, these issues can be overcome. The key lies in developing comprehensive governance strategies based on a deep understanding of the business, covering personnel allocation, operational rules, and risk control measures, to ensure smooth compliance with regulatory requirements and project implementation.
