Hong Kong Virtual Asset Trading Platform Operators Licensing Regime: Key Infrastructure Requirements under the VATP Guidelines

Regulators around the world are racing against time to publish rules and guidance to regulate the crypto and blockchain industry. The Securities and Futures Commission of Hong Kong (HKSFC) is one of the few regulators that has taken a forward-looking and innovative stance, leading the way in regulating the crypto and blockchain industry. This approach has been coupled recently with the blessings¹ of the second largest economy of the world.

INFRASTRUCTURE REQUIREMENTS

To follow on from our earlier article², outlined below are the HKSFC’s infrastructure requirements under the VATP Guidelines. Unless defined otherwise, capitalised terms shall have the same meanings as in our earlier article.

1. Insurance

Platform Operators are expected to always maintain an insurance policy covering the risks associated with the custody of client virtual assets (CVA) in hot storage and other storage (full coverage) and cold storage (a minimal coverage of 50%). However, the HKSFC has now advocated greater flexibility for Platform Operators to meet the insurance requirement through:

a. implementing an HKSFC-approved compensation arrangement (Arrangement) to cover for risks associated with the custody of CVA (Trust Funds):
~ Types of assets: Bank guarantees, funds held in the form of demand deposits or fixed deposits with a maturity of six months or less would be acceptable;
~ Form of Arrangement: Apart from third-party insurance, (i) escrow arrangements, (ii) Platform reserved funds that are segregated from the assets of the Platform Operator or its group companies AND are set aside on trust with an authorized financial institution for the Arrangement (Trust Funds) and (iii) pooled funds jointly or individually by Platforms through insurance coverage over loss of client assets are all acceptable combinations for the Arrangement;

b. establishing a daily monitoring system to facilitate taking remedial measures to ensure compliance with the maintenance of the Arrangement and making notifications to the HKSFC when the Platform Operator anticipates that any client’s total value of CVA under custody may persistently exceed the total covered amount under the Arrangement; and

c. ensuring that Trust Funds are segregated from assets of the Platform Operator, its associated entity or affiliates and designated for the Arrangement.

If virtual assets (VAs) are included in the Arrangement, VAs should be segregated from CVAs, VAs of the Platform Operator and its group companies to be held in cold storage by its associated entity AND should be the same as CVAs covered under the Arrangement.

Any subsequent changes in the Arrangement require pre-approval from the HKSFC.

2. Custody Arrangement

Given that the HKSFC’s licensing regime seeks to regulate Platform Operators that operate like securities brokers and automated trading venues under the “same business, same risks, same rules” principle, the HKSFC’s regulatory approach also covers custody services ancillary to the provision of trading services by Platform Operators. Platform Operators are, therefore, expected to hold client money and CVA on trust through a wholly owned subsidiary (Associated Entity).

The Associated Entity must be a company which (i) has notified the HKSFC that it has become an “associated entity” of the Platform Operator under section 165 of the Securities and Futures Ordinance (Cap. 571 of the Laws of Hong Kong); (ii) is operated in Hong Kong; and (iii) holds a “trust or company service provider licence” under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615 of the Laws of Hong Kong).

Apart from the typically understood approach³ adopted in regulating brokerage custodial arrangements, the HKSFC’s additional requirements applicable to the Platform Operator and/or its Associated Entity are as follows:

Other than the above requirements, the Platform Operator and its Associated Entity are expected to properly handle and safeguard client money and action standing authority given by clients in a manner that is, in addition to providing greater investor protection, not dissimilar to how client monies/standing instructions are currently handled by licensed intermediaries.⁷

3. Cybersecurity

As alluded to in our earlier article⁸, the HKSFC requires the submission of external assessor’s reports when submitting a licence application to the HKSFC. Notably, the assessor’s checklist for assessing a Platform Operator’s cybersecurity “readiness” is most extensive.

Considering market concerns over cybersecurity failures with the use of blockchain technology embedded in VAs, the HKSFC has further elaborated the security protocols to be adopted by Platform Operators in the design, development, deployment, operation and modification of the Platform, covering both trading system and custody infrastructure.

a. In particular, the Platform Operator is expected to implement a robust governance arrangement that involves:

• designating at least one responsible officer for the overall management and supervision of the Platform⁹;
• defining a cybersecurity management framework outlining the systems and processes¹⁰ underpinning the operation of the Platform;
• allocating adequate and qualified human (i.e. key personnel with necessary professional qualifications, management and technical experience), technology (i.e. appointment of a suitably qualified independent professional to conduct annual periodic technology audit and periodic cybersecurity assessment) and financial resources (i.e. budget and spending on defining and implementing the cybersecurity risk management framework);
• setting out key roles and responsibilities of staff members and identifying clearly reporting lines with supervisory and reporting responsibilities among staff members; and
• continuing review and feedback from the dealing, risk and compliance functions in view of changing market conditions and regulatory developments,

to ensure that the Platform operates properly and continuously.

b. As highlighted, the HKSFC has introduced minimum prescriptive security controls that the Platform Operator should employ to protect the Platform from being abused. Some of the key controls include:

• robust authentication and authorization methods and technology to ensure that access to the Platform is restricted to authorized persons only on a need-to-have basis, for example, through:
  ~ reviewing at least annually the user access list of the Platform and databases and revoke unnecessary user access and privileges (for example, for departed staff) on a timely basis;
  ~ maintaining an adequate access log which records details of staff members with access to the Platform and information relating to their access records, including the grant and basis for grant of approval for access, and establishing adequate protections to prevent tampering or erasure of the log;
• two-factor authentication for login into clients’ accounts;
• stringent password policies and session timeout controls;
• prompt notification to clients after certain client activities have taken place in the client accounts;
• adequate security controls¹¹ over the infrastructure of the Platform:
  ~ grant access (including remote access) to its internal net and different segments of the network on a need-to-have basis;
  ~ implement and update anti-virus and anti-malware solutions, as well as endpoint detection and response technology on a timely basis;
  ~ implement Intrusion Prevention System (IPS), Intrusion Detection System (IDS) and System Information and Event Management (SIEM) solutions to detect and generate alerts on any intrusion or unauthorized access to critical system servers and workstations on a real-time basis;
  ~ establish a Security Operations Center (SOC) or equivalent function with sufficient resources to take charge of all security monitoring processes and technologies and act as a coordinator for efficient incident detection and handling; and
  ~ establish physical security policies and procedures to protect critical Platform components (for example, HSM, the authorized storage media and devices used to store and transfer critical data) and apply segregation of duty or privilege separation to the access to critical Platform components, if applicable;
• use of a strong encryption algorithm to encrypt sensitive client information and trade data during transmission; and
• implementation of an effective monitoring and surveillance mechanism to detect unauthorized access to clients’ accounts.

Of particular importance, Platform Operators should continuously monitor major developments (such as technological changes or the evolution of security threats) relevant to all VAs.

4. Risk Management

Though the VATP Guidelines did not have a standalone chapter for “Risk Management”, the HKSFC has emphasized that the HKSFC’s regulatory regime aims to address prudential risks for financial intermediaries and to provide enhanced investor protection when the public interfaces with VAs¹². The importance of “risk management” is a prevalent theme throughout the VATP Guidelines, and Platform Operators will be assessed on their competency with regards to their knowledge and understanding of risks inherent in the provision of VA trading services, such as counterparty risk, market risk, credit risk, financial risk, liquidity risk, operational risk and cybersecurity risk (including risk of fraud, errors and omissions, interruptions or other control failures).

Platform Operators should have a sound risk management framework to enable them to identify, measure, monitor and manage risks ranging from the technical aspects of VA (i.e. storage, transfer and/or custody) to legal, as well as money laundering and terrorist financing risks¹³ arising from the conduct of VA trading and operation of the Platform.

Key salient features of the risk management framework should include:

Specifically, with regards to the risks pertaining to the “tech” biased nature of VAs, a Platform Operator and its Associated Entity should:

• assess the risks posed to each storage method in view of the new developments in security threats, technology and market conditions and implement appropriate storage solutions to ensure the secure storage of CVA;
• keep the wallet storage technology up-to-date and in line with international best practices or standards;
• implement measures to deal with any compromise or suspected compromise of all or part of any seed or private key without undue delay, including the transfer of all CVAs to a new storage location as appropriate;
• review and approve policies and procedures, budget and spending on resources relating to cybersecurity risk management;
• have a written contingency plan that identifies potential emergencies and disruptions (including cyber-attacks), activates suitable backup facility/arrangements and handles queries from clients and/or regulators.

SIDLEY’S INSIGHT

It is apparent that the HKSFC has made great strides in understanding the usage, impact and risks arising from blockchain technology that underpins VA. As we all venture “Into the (Relatively) Unknown” universe of VA as a nascent asset class, the HKSFC’s detailed guidance provides a solid bedrock and pathway for financial intermediaries to expand/establish their business into VA with greater certainty and credibility among investors and regulators alike.

To ensure that Hong Kong achieves its goal to become the world’s “global VA hub”, let’s maintain an open dialogue with the regulator and find optimal solutions to challenges brought about by innovation.

1. Insurance – Self-funding: Given that regulators globally are still grappling with the optimal regulatory regime to be adopted, the HKSFC’s proposal of permitting Platform Operators to meet its insurance requirements through solely or in combination with self-funding as an option embark into unexplored territory as the HKSFC has generally monitored licensed corporations’ funding requirements in accordance with the Securities and Futures (Financial Resources) Rules (Cap. 571N of the Laws of Hong Kong) (FRR). It is yet to be tested whether the HKSFC’s proposed Arrangement would effectively safeguard CVAs and provide the level of investor protection comfort for the investing public to engage in VA trading en masse. Following the introduction of greater flexibility to Platform Operators to meet their insurance obligation through the Arrangement, questions remain as to what combination of the various forms of Arrangement would be accepted by the HKSFC. How would the adoption of the self-funding option impact the Platform Operator’s financial resources obligations under the FRR?
2. Custody – Associated Entity: Another distinct development of the HKSFC’s supervisory reach is its oversight of custodians among financial intermediaries servicing public and private funds, brokers and now Platform Operators over the years. There is limited published guidance on the HKSFC’s expected standard of conduct applicable to associated entities. However, the imposition of prescriptive responsibilities onto the Platform Operator with regards to its Associated Entity’s activities exemplifies the HKSFC’s approach of affording greater investor protection through holding Platform Operators responsible for safe custody of Client Assets. It is yet to be seen how the HKSFC’s approach may effectively protect Client Assets and its enforcement attitude towards non-compliance with the VATP Guidelines’ requirements by the Platform Operator and/or its Associated Entity.
3. Cybersecurity – Keeping Abreast: Notably, the HKSFC has specified its expected minimum security control standards and highlighted that the onus is on the Platform Operator to keep abreast of major technological changes and evolution of security threats in managing cybersecurity risks relevant to VAs. Nevertheless, there is no centralized database that is endorsed by the HKSFC nor common industry standard to serve as a benchmark with regards to whether controls adopted by a Platform Operator would meet the HKSFC’s requirements relating to the design, development, deployment, operation and modification of the Platform against increasingly complex cybersecurity threats. It would, therefore, be helpful if the HKSFC can regularly publish its views of international best practices or standards to assist Platform Operators in monitoring its cybersecurity savviness.
4. Risk Management – Tech Savvy: Adopting essentially the same approach in formulating a risk management framework to manage trading risks, the HKSFC acknowledged that trading in VAs exposes a Platform Operator to a matrix of risks ranging from counterparty risk, market risk, credit risk, financial risk, liquidity risk, operational risk, cybersecurity risk, legal risk and ML/TF risk. Both the HKSFC and Platform Operators need to embrace new technology on the one hand and manage the challenges and impact of such technology when trading in VA on the other hand. The implementation of an effective, independent and comprehensive risk management framework for VA calls for a strong commitment to embrace technological developments at an unprecedented pace. However, how “technologically savvy” are Platform Operators? How synchronized are Platform Operators with tracking and adopting international best practices or standards? What is the HKSFC’s objective criteria in determining when and whether the risk management framework established by the Platform Operator falls below international best practices or standards?

It is never easy to keep pace with the whirlwind of global and Hong Kong regulations¹⁵  governing the rapidly evolving virtual/digital assets industry. Sidley’s multidisciplinary team of lawyers is ready to navigate this dynamic and increasingly regulated industry with you. For Sidley’s insights on key client and product requirements (Onboarding) applicable to Platform Operators, please see here.

¹ South China Morning Post Report (Xinmei Shen, 13:30, 13 April 2023), titled “Chinese officials pledge support for Hong Kong’s tech, Web3 ambitions at digital economy”.
² “Hong Kong Virtual Asset Trading Platform Operators Licensing Regime: Dual Licensing Regime and Key Personnel Requirements”, Sidley Update, May 2023"
³ Client Assets (i.e. client money and CVA) are (i) to be held on trust by the Associated Entity; (ii) accounted for properly and promptly when handling client transactions and Client Assets; and (iii) segregated from assets of the Platform Operator/Associated Entity. The Platform Operator/Associated Entity should have appropriate and effective procedures to clearly define and adherence to the authority to acquire, dispose of, move or utilize Client Assets. Further, robust process should also be implemented to identify and highlight for action any errors, omissions or misplacement of Client Assets.
⁴ Private key and seed generation should be in accordance with applicable international security standards and industry best practices to ensure randomness and, preferably, should be generated offline and kept in a secure environment with appropriate certification.
⁵ Private key and seed generation should be in accordance with applicable international security standards and industry best practices to ensure randomness and, preferably, should be generated offline and kept in a secure environment with appropriate certification.
⁶ Tight restriction over access to seeds or private keys and their backups, as well as controls over same, should be implemented to mitigate the risk of collusion among authorized personnel. No single person should have possession of information on the entirety of the seeds, private keys or backup passphrases.
⁷ For example, under the Securities and Futures (Client Money) Rules (Cap. 571I of the Laws of Hong Kong), such rules will not apply to client money of a licensed intermediary that is received or held outside Hong Kong by the licensed intermediary or its associated entity, while that client money remains outside Hong Kong. In comparison, it is required under the VATP Guidelines to pay the client money received outside Hong Kong into a segregated account maintained with another bank in another jurisdiction as agreed by the HKSFC from time to time. Further, licensed intermediaries may establish and maintain segregated accounts to receive or hold client money, whereas only the Associated Entity of the Platform Operator may do so.
⁸ https://mp.weixin.qq.com/s/acVDKBD9r2f3NMoVlPnlaA.
⁹ This RO has overall management and supervision responsibility to review and approve the initial and ongoing due diligence of, and service level agreement and contract with a third-party service provider relating to the provision of outsourced services to the Platform.
¹⁰ The Platform Operator should have clear and proactively executed processes to evaluate the potential impact and risks of major technological developments, as well as to handle fraud attempts specific to distributed ledger technology (such as 51% attacks).
¹¹ Detection rules of the endpoint detection and response technology and SIEM solutions should be updated as and when necessary (i.e. when there are new attack or threat scenarios that require additional detection rules).
¹² Additional details to be covered by upcoming articles. Stay tuned!
¹³ Sidley’s insight of the HKSFC’s new stand-alone chapter incorporated into the Guideline on Anti-Money Laundering and Counter-Financing Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers) will be covered under a separate article.
¹⁴ The HKSFC may only accept alternative arrangements to the appointment of an independent risk manager in limited circumstances if the arrangements are (i) sufficient to manage business risk exposures; and (ii) enable effective control to be exercised over the operations of the Platform Operator.
¹⁵ “NFA Establishes Rule for Members Engaging in Digital Asset Activities, Including in the Spot Market”, Sidley Update, April 2023 and Paragraph 7, “UK/EU Investment Management Update (April 2023)”, Sidley Update, April 2023.