Crypto Regulation in Hong Kong

Structured products

Structured products are defined broadly and include any product where all or part of the return or amount due (or both), or the settlement method, is determined by reference to any one or more of:

• changes in the price, value or level (or within a range) of securities, commodities, indices, property, interest rates, currency exchange rates or futures contracts, or any combination or basket of any of these; or

• the occurrence or non-occurrence of any specified event(s) other than an event relating only to the issuer and/or the guarantor of the product.

  

The SFC’s March 2019 statement suggests that, depending on how the tokens are structured, tokens representing an underlying asset could constitute structured products subject to Hong Kong’s securities laws. There has been no official guidance from the SFC on how it would regard stablecoins that are pegged to the price of assets such as gold or fiat currencies whose value may appreciate or not. Unlike jurisdictions such as the US, Hong Kong does not regulate commodities such as gold. It would therefore be illogical for a token representing a commodity, which is more akin to a deposit slip than a security, to be regarded as a security subject to Hong Kong’s securities regulatory regime. The Consultation Conclusions of the FSTB confirmed that cryptocurrencies that are backed by assets for the purpose of stabilising their value are virtual assets for the purposes of the proposed new regime. Thus, an exchange trading stablecoins which are not securities will need to be licensed with the SFC under the new licensing regime and comply with AML/CTF obligations (including customer due diligence and record-keeping requirements) as set out in Schedule 2 to the AMLO when it is implemented.

Regulated investment agreements

A ‘regulated investment agreement’ is an agreement, the purpose or effect is to provide to any party to the agreement a profit, income or other return calculated by reference to changes in the value of any property (e.g., equity-linked deposits) (but does not include a collective investment scheme).

Unless a security token offering is essentially a tokenised fund offering which is a collective investment scheme, there seems to be little support for the SFC’s statement that tokens representing digital ownership of assets such as gold or real estate constitute securities under the SFO. Further guidance on this from the SFC would be welcome.

(b) Regulatory Implications of STOs being “securities” under the SFO

Selling restrictions

The SFC’s March 2019 statement on STOs provides that where an intermediary markets or distributes security tokens, it should only offer them to professional investors. An offer of security tokens only to professional investors as defined in the SFO has the advantage of being exempt from the requirement for SFC authorisation of any advertisement or invitation issued in relation to an offer of securities (under section 103 SFO) where the security tokens are offered to more than 50 persons in Hong Kong.

Where STO tokens constitute interests in a collective investment scheme, restricting the offer to professional investors will mean that the stringent requirements of the SFC’s Code on Unit Trusts and Mutual Funds will not apply. Those requirements would likely render an STO unworkable given:

• the requirements for the appointment of a qualified fund manager and a custodian that is a bank or trust company registered under the Trustee Ordinance; and

• the investment restrictions applicable to retail funds which include a prohibition on real estate investment and a restriction on investing no more than 15% of the fund’s net asset value in investment products that are not listed on the HKEx or another recognised stock exchange.

Licensing Requirements for Intermediaries Marketing / Distributing Security Tokens

Where crypto assets are “securities” under the SFO, any exchange which provides trading in the security tokens and any intermediary which markets and distributes the security tokens must be licensed or registered by the SFC for Type 1 regulated activity (dealing in securities), and each of its staff members conducting trading or marketing of security tokens must also be licensed for Type 1. The SFC states in its March 2019 statement that security tokens should only be offered to professional investors.

Conduct Requirements for Licensed Intermediaries

STO suitability for intermediaries’ customers

Intermediaries which market and distribute security tokens must comply with the conduct provisions of the SFC’s Code of Conduct, in particular the requirement under paragraph 5.2 to ensure that customer recommendations and solicitations with respect to security tokens are reasonably suitable for the particular customer, given the information about the particular customer of which the intermediary is or should be aware through the conduct of due diligence.

Intermediaries should also refer to the SFC’s Suitability FAQs and FAQs on Triggering the Suitability Obligations. Although not referred to in the SFC statement, all licensed intermediaries are also under an obligation to conduct customer due diligence and anti-money laundering checks on their customers and these apply irrespective of the type of product being recommended or the subject of a customer solicitation.

STOs as Complex Products

The SFC regards security tokens as “complex products” as defined under paragraph 5.5 of the Code of Conduct. Paragraph 5.5 imposes additional obligations on licensed intermediaries which make recommendations or solicit investors with respect to complex products. In particular, licensed intermediaries and their licensed staff are required to ensure that:

• the security token is suitable for the client in all the circumstances;

• the client is provided with sufficient information on the key nature, features and risks of the security token to understand it before making an investment decision; and

• the client is provided with clear warning statements about the security token’s distribution.

Intermediaries’ Due Diligence Obligations

The SFC’s March 2019 statement mentions the need for intermediaries who market or distribute security tokens to conduct proper due diligence on the offering which should cover (among others):

• the background and financial soundness of the management, development team and the issuer of the security token; and

• the existence of and rights attached to the assets which back the security token.

Licensed intermediaries are also required to study security tokens’ whitepapers and all relevant marketing materials and other published information. The SFC’s March 2019 statement also notes intermediaries’ obligation to ensure that information provided to customers in respect of an STO is accurate and not misleading. This is the first time the SFC has raised the issue of the standard of due diligence it expects in relation to security token offerings and intermediaries’ responsibility for the accuracy of information.

Information to be Provided to Customers

Intermediaries should provide their customers with clear and comprehensible information on STOs which should include prominent warning statements alerting potential investors to the risks associated with digital assets. The SFC reminds licensed intermediaries to implement adequate systems and controls to ensure compliance with their regulatory obligations prior to engaging in security token distribution.

Requirement to Notify the SFC before Dealing in Security Tokens

The SFC also requires licensed intermediaries to notify it in advance prior to conducting any business in security tokens.

Shortcomings of the SFC’s Regulatory Approach

A loophole in the SFC’s regulatory approach to security token offerings is that the investor protection driven measures of the SFC Code of Conduct (the obligation to ensure the suitability of investment products for individual clients, anti-money laundering and counter-terrorist financing obligations etc.) only apply where a traditional intermediary is involved. The SFC Code of Conduct does not apply to issuers of securities and thus, on a typical security token offering, there is no obligation on the issuer to ensure the accuracy of the information provided in its marketing documents nor to assess the suitability of its tokens for prospective purchasers.

Additionally, token issuers and their designers and developers are typically based offshore, outside the regulatory remit of the SFC, and so, protection for Hong Kong investors against fraudulent or incompetent issuers is scant. The SFC Code of Conduct requirements referred to in the SFC’s March 2019 Statement will only ever apply where a Hong Kong SFC licensed or registered intermediary is engaged to market the tokens to Hong Kong investors – a scenario which has not yet occurred in Hong Kong. However, if security tokens are to be traded on a Hong Kong crypto exchange, the operator of the exchange will need to be licensed and thus secondary market trading will be subject to SFC regulation.

Under the SFO, security tokens, in the same way as traditional securities, cannot be marketed to Hong Kong investors except by an SFC Type 1-licensed entity. However, if security tokens are not “actively marketed” to the Hong Kong public, there is nothing to prevent Hong Kong investors from subscribing for tokens via an offshore platform and in this situation, none of the SFC Code of Conduct’s investor protection mechanisms will apply. Further, if the offering turns out to be a scam, Hong Kong investors have no means of redress other than a contractual claim or common law action against the token issuer. Given that whitepapers generally do not even contain the issuer’s legal name and registered address, this route to recovering losses will not be straightforward.

These issues are of course by no means unique to Hong Kong and regulators worldwide face similar challenges.

1.3 Virtual Asset Futures and CME and CBOE Bitcoin Futures

Virtual asset futures contracts are largely unregulated, highly leveraged and subject to extreme price volatility which urged the SFC to issue a statement warning investors of the risks in November 2019.[43] The SFC noted in the same statement that trading platforms or persons which offer and/or provide trading services in virtual asset futures contracts without being licensed under the SFO may be in breach of the SFO. Virtual asset futures contracts may also constitute “contracts for differences” under the Gambling Ordinance which may be illegal unless authorised under that ordinance.

Further, according to the SFC Circular on Bitcoin futures contracts and cryptocurrency-related investment products of December 2017,[44] a Hong Kong entity which enables Hong Kong investors to trade Bitcoin futures contracts which are traded on the Chicago Mercantile Exchange (the CME) or Chicago Board Options Exchange (the CBOE), including by relaying or routing orders for these Bitcoin futures contracts, will need to be licensed by the SFC for Regulated Activity Type 2 (dealing in futures contracts). These intermediaries are also expected to strictly observe the suitability requirement of paragraph 5.2 of the SFC Code of Conduct and the conduct requirements in relation to providing services in derivative products to clients under paragraphs 5.1A and 5.3 of that Code.

• SFC. SFC issues warnings on virtual asset futures contracts. 6 November 2019. Available at:https://www.sfc.hk/en/News-and-announcements/Policy-statements-and-announcements/SFC-issues-warnings-on-virtual-asset-futures-contracts
• SFC. Circular to licensed corporations and registered institutions on Bitcoin futures contracts and cryptocurrency-related investment products. 11 December 2017. Available at: https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=17EC79

2. THE LICENSING REGIME UNDER THE SECURITIES AND FUTURES ORDINANCE

The SFO gives the SFC authority over the securities and futures industry, which only gives it authority over entities conducting business activities in the very limited category of cryptocurrencies which are “securities” or “futures contracts” within the statutory definitions. The SFC has however issued statements which bring the following within the scope of the licensing regime under the SFO:

• firms managing funds that invest in virtual assets (in addition to traditional securities or futures contracts);

• firms distributing funds which invest in virtual assets (irrespective of whether they are securities or not); and

• exchanges providing trading services in virtual assets where at least one virtual asset is a security or futures contract.

  

However, despite many of the world’s largest crypto exchanges operating in Hong Kong, these currently remain unlicensed since they are outside the scope of the SFC’s licensing regime as they only trade cryptocurrencies (such as Bitcoin and Ethereum) which are not “securities” or “futures contracts” under the SFO (“non-SF virtual assets”). Thus, an exchange which only trades non-SF virtual assets or a firm which only manages funds investing in non-SF virtual assets is completely unregulated at present. Primary market issues and offers of cryptocurrencies (such as ICOs) which are not securities are also unregulated.

2.1 Regulation of Virtual Asset Portfolio Managers

As outlined, the SFC’s regulatory jurisdiction under the SFO does not extend to activities in the many cryptocurrencies (including the most widely traded, such as Bitcoin and Ethereum) which are not securities or futures contracts (i.e. non-SF virtual assets). The SFC has issued a number of warnings to potential investors of the risks of investing in cryptocurrencies.

In November 2018, the SFC published a regulatory framework which deals with its regulation of portfolio managers which invest in cryptocurrencies which are not securities or futures contracts. Portfolio managers include both fund managers and managers of discretionary accounts (in the form of an investment mandate or a pre-defined model portfolio). The statement extends the SFC’s regulation of the activities of licensed portfolio managers to cover their crypto-related services.[45] Where a firm is already or will be licensed for Type 9 regulated activity (asset management) for managing portfolios in traditional securities and/or futures contracts, its management of portfolios (or portions of portfolios) which invest in cryptocurrencies which are not securities or futures contracts is also subject to the SFC’s oversight. The SFC exercises oversight over the firm’s crypto-related activities through the imposition of licensing conditions.[46]

However, a portfolio manager which only manages funds which invest only in cryptocurrencies which are not securities or futures contracts does not need to be licensed for Type 9 regulated activity since managing funds investing only in cryptocurrencies that are not securities or futures contract is not a regulated activity. To the extent that the portfolio manager distributes the fund in Hong Kong, it will however need to be licensed for Regulated Activity Type 1 (dealing in securities) (see further at 2.2 below).

(a) De minimis provision

The additional licensing conditions are subject to a de minimis provision: they apply to firms which manage or plan to manage virtual asset funds or investment portfolios which:

• have a stated investment objective to invest in virtual assets; or

• intend to invest or have invested more than 10% of their gross asset value (GAV) in virtual assets directly or indirectly.

The licensing conditions do not however apply to:

• licensed corporations which only manage funds/portfolios investing in virtual asset funds (i.e. funds of funds); or

• licensed corporations managing portfolios whose mandate is to invest mainly in securities and/or futures contracts and their investment in virtual assets exceeds 10% of GAV only because of an increase in the prices of the virtual assets held in one or more of the portfolios. The licensed corporation is required to take all reasonable steps to reduce the portfolio’s investment in virtual assets below the 10% of GAV threshold. If, however, the position is expected to continue (i.e. virtual assets will continue to exceed 10% of GAV), the licensed corporation must alert the SFC which will consider imposing licensing conditions. Failure to notify the SFC may result in disciplinary action.

(b) Requirement to notify the SFC

Licensed corporations and licence applicants are required to inform the SFC if they currently manage, or plan to manage, one or more funds/portfolios that invest in cryptocurrencies, or intend to hold cryptocurrencies on behalf of funds/portfolios under their management. The notification requirement applies even if the fund/portfolio intends to invest less than 10% of the portfolio’s gross asset value in cryptocurrencies and whether or not the cryptocurrencies involved are “securities” or “futures contracts.” Failure to inform the SFC may constitute a breach of the Securities and Futures (Licensing and Registration) (Information) Rules.

On being informed that a firm is managing or plans to manage virtual asset portfolios, the SFC will send the standard licensing conditions [47] to the firm and these may be varied following discussions with the firm according to its particular business model. Licensed corporations which do not agree to comply with the licensing conditions will be prohibited from managing virtual asset portfolios and must unwind their cryptocurrency positions.

A new licence applicant has to agree to the licensing conditions proposed, or its licensing application will be rejected.

(c) The Licensing Conditions

The SFC has published Proforma Terms and Conditions for Licensed Corporations which Manage Portfolios that Invest in Virtual Assets[48] that it will impose on a fund manager that manages a fund (or portion of a fund) that invests in virtual assets and meets the de minimis threshold (a Virtual Asset Fund Manager). The conditions are onerous and include the following principal obligations.

1. Restriction to professional investors and disclosure requirements

Investors in a fund with a stated investment objective of investing in cryptocurrencies or which intends to invest 10% or more of its GAV in cryptocurrencies are restricted to “professional investors” as defined in the SFO (including high net worth investors under the Securities and Futures (Professional Investor) Rules). If a virtual asset fund will be distributed through distributors, the Virtual Asset Fund Manager must implement measures to ensure that the fund is only distributed to professional investors.

2. Safeguarding of assets

Despite the SFC acknowledging that crypto funds face ““a unique challenge due to the limited availability of qualified custodian solutions””, the SFC has imposed onerous obligations on licensed Virtual Asset Fund Managers in relation to custodians.

A manager of a virtual asset fund is firstly required to assess and select the most appropriate custodial arrangement – that is whether to hold the assets itself or with a third-party custodian or an exchange – taking into consideration the advantages and disadvantages of holding cryptocurrencies at different host locations by way of “hot” or “cold” wallets, considering (among others) the ease of accessibility to cryptocurrencies and the security of the custodial facility.

Virtual Asset Fund Managers are also required to exercise due skill, care and diligence in selecting, appointing and conducting on-going monitoring of custodians by reference to factors such as the custodian’s:

• experience and track record in providing custodial services for cryptocurrencies;

• regulatory status, particularly whether its cryptocurrency custodial business is subject to regulatory oversight;

• corporate governance structure and the background of its senior management;

• financial resources and insurance cover for compensating customers for loss of customer assets; and

• operational capabilities and arrangements, for example, its “wallet” arrangements and cybersecurity risk management measures.

Where cryptocurrencies are held by the licensed fund manager itself, it is required to document the reasons for self-custody and disclose the risks of self-custody to investors. Appropriate measures must be implemented to protect the fund’s assets and to effectively segregate the cryptocurrencies from the fund manager’s own assets in the event of its insolvency. The fund manager is also required to use best endeavours to acquire and maintain insurance cover over the cryptocurrencies.

3. Portfolio valuation

The SFC recognises that there are currently no generally accepted valuation principles for virtual assets, particularly ICO tokens. The licensing conditions however require licensed corporations to select valuation principles, methodologies, models and policies which are reasonably appropriate in the circumstances and in the best interests of investors. These also need to be disclosed to investors.

4. Risk management

Virtual Asset Fund Managers are required to set appropriate limits for each product or market the fund invests in. They should, for example, consider setting a cap on a fund’s investment in illiquid cryptocurrencies and newly-launched ICO Tokens and its exposure to counterparties. According to the risk management procedures set out in Appendix 2 to the Proforma Terms and Conditions, Virtual Asset Fund Managers should consider using more than one custodian to hold the fund’s assets to avoid undue concentration of risk. Periodic stress testing is also required to assess the effect of abnormal and significant changes in market conditions on the fund.

Before transacting with a crypto exchange, a licensed Virtual Fund Manager is required to assess the reliability and integrity of the virtual asset exchange taking into account matters such as its:

• experience and track record;

• legal or regulatory status;

• corporate governance structure and background of its senior management;

• operational capabilities;

• mechanisms (e.g., surveillance systems) implemented to guard against fraud and manipulation with respect to products traded on the exchange;

• cybersecurity risk management measures; and

• financial resources and insurance cover.

Exposure to individual crypto exchanges must be limited by setting appropriate caps.

5. Auditors

The SFC has noted that the accounting profession has no agreed standards and practices for how an auditor can perform assurance procedures to obtain sufficient audit evidence for the existence and ownership of virtual assets and ascertain the reasonableness of the valuations. Despite this, the SFC requires the appointment of an independent auditor to audit the financial statements of managed funds. The SFC also requires licensed corporations to consider auditors’ experience and capability in checking the existence and ownership of virtual assets, and ascertaining the reasonableness of their valuation, in their selection of an auditor.

6. Liquid capital

A licensed fund manager which holds cryptocurrencies on behalf of the funds it manages is required to maintain liquid capital equal to the higher of HK$3 million or the amount of its variable required liquid capital).

• SFC. “Statement on regulatory framework for virtual asset portfolios managers, fund distributors and trading platform operators”. 1 November 2018
• SFC. “Proforma Terms and Conditions for Licensed Corporations which Manage Portfolios that Invest in Virtual Assets”. October 2019.
• SFC. October 2019. “Proforma Terms and Conditions for Licensed Corporations which Manage Portfolios that Invest in Virtual Assets”. Available at:https://www.sfc.hk/web/EN/files/IS/publications/VA_Portfolio_Managers_Terms_and_Conditions_(EN).pdf
• Ibid

(d) SFC licensed crypto fund managers

To date, only one fund management firm, Venture Smart Asia Limited, has succeeded in obtaining a Type 9 asset management licence to manage funds investing in crypto assets. It is also licensed for regulated activities Types 1 and 4 and the firm acted as advisor to, and distributor of, the Bitcoin tracking fund launched by the firm’s blockchain arm, Arrano Capital.[49]

2.2 Regulation of Virtual Asset Fund Distributors

Fund distribution requires a securities dealer licence (Type 1) because a fund is a “collective investment scheme” which is a security irrespective of whether the fund invests in virtual assets which are securities or not. Accordingly, firms distributing virtual asset funds (whether as fund managers under an asset management licence or as fund distributors under a securities dealer licence) are required to comply with:

• the SFC’s regulatory framework for licensed corporations including its Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct), including (among others) Know-your-Client (KYC) and AML and CTF obligations, as well as an obligation to ensure the suitability of product recommendations and solicitations for particular clients; and

• additional requirements set out in the SFC’s “Circular to intermediaries on the distribution of virtual asset funds” [50] of 1 November 2018 (the SFC November 2018 Circular) including extensive due diligence in relation to the virtual asset funds they distribute,[51] their fund managers and counterparties.

  

A fund manager which only manages funds investing in cryptocurrencies that are not securities does not need to be licensed for Type 9. This is because “asset management” is defined in the SFO as the management of “securities” or “real estate”. Managing a fund investing only in cryptocurrencies which are not securities is not therefore “asset management” and does not require a Type 9 licence.

However, the distribution of a fund which invests in cryptocurrencies that are non-securities will require the distributor (whether that is the fund manager or a third party distributor) to be licensed for Type 1 – dealing in securities. A fund is a collective investment scheme, which is within the SFO’s definition of “securities”, irrespective of the type of assets the fund invests in. A Type 9-licensed asset manager which also distributes the funds it manages can rely on the incidental exemption from need to be separately licensed for Type 1.

The SFC November 2018 Circular requires licensed corporations to comply with the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the SFC Code of Conduct) in distributing virtual asset funds (both authorised and unauthorized). In particular, they must ensure the reasonable suitability of any recommendation or solicitation made to a client under paragraph 5.2 of the SFC Code of Conduct.

The SFC November 2018 Circular also sets out additional requirements which apply to distributors of virtual asset funds which:

• are not authorised by the SFC for retail distribution under section 104 SFO; and

• have a stated investment objective of investing in virtual assets or intend to invest or have invested more than 10% of their GAV in virtual assets (i.e. funds which the licensed corporation knows, or should reasonably have known, to be investing more than 10% of their GAV in virtual assets at the time it distributes the fund, unless it has been advised that the fund manager intends to reduce the fund’s investment in virtual assets to below 10% of the fund’s GAV in the near future). The investment in virtual assets may be direct or indirect (i.e. through fund of funds and funds which invest in derivatives, for example, total return swaps, with virtual assets as the underlying).

Additional Requirements

The additional requirements that apply to licensed corporations distributing these funds include the following:

1. Selling restrictions

A distributor of a Virtual Asset Fund can only target professional investors as defined under the SFO. Except in the case of institutional professional investors (broadly, banks and regulated securities intermediaries), the distributor must also assess whether its clients have knowledge of investing in cryptocurrencies or related products before effecting a transaction on their behalf. A transaction can only be executed for a client without such knowledge, if this would be in the best interest of the client. However, the SFC has given no guidance on when a transaction can be considered as being in the client’s best interests. For the purposes of the knowledge assessment, a licensed corporation can take into account a client’s prior investment experience in private equity or venture capital or whether they have provided capital for a start-up business in the previous two years.

2. Concentration assessments

Licensed corporations must consider the aggregate amount to be invested by a client in virtual asset funds to be reasonable given the client’s net worth.

3. Due diligence on virtual asset funds not authorised by the SFC

Licensed corporations will need to conduct extensive due diligence on virtual asset funds (unless they have been authorised by the SFC for retail distribution), their fund managers and parties providing trading and custodian services to the funds. However, licensed corporations’ compliance with these obligations very much depends on the willingness of the various parties to disclose the required information. The assessments licensed corporations are required to make are difficult given the lack of developed standards in the industry. The due diligence is required to include (without limitation) an examination of the fund’s constitutive documents and completion of a due diligence questionnaire, in addition to making enquiries of the fund manager to obtain an in-depth understanding of the matters referred to below.

The due diligence the SFC expects to be conducted in relation to the fund manager covers:

• the fund manager’s background, relevant experience and (where applicable) the track record of its senior management, including its chief investment, operation, risk and technology officers;

• its regulatory status (e.g. whether it is subject to any regulatory oversight);

• its compliance history (i.e. whether it has been subject to any disciplinary or regulatory actions);

• its operations including its internal controls and systems;

• the existence of proper segregation of key functions (such as portfolio management, risk management, valuation and custody of assets) or of adequate compensating controls to prevent abuse;

• who has authority to transfer assets from the fund or custodians and what safeguards are in place;

• the persons responsible for, and the procedures for, reconciling transactions and positions, including the frequency of reconciliations;

• the methodology and the persons responsible for determining the pricing and assessment of the reasonableness of the determined price of cryptocurrencies;

• the fund manager’s IT infrastructure (e.g., in terms of security and access management); and

• its risk management procedures (including concentration limits, counterparty risk management procedures, stop-loss arrangements and stress testing), its liquidity risk management policy and disaster recovery plan.

In terms of the due diligence the SFC expects a licensed distributor to conduct in relation to the fund, this should cover:

• the fund’s targeted investors;

• list of instruments the fund intends to trade or invest in and any limitations on the size of its holding of ICO tokens, pre-ICO Tokens or other illiquid or hard-to-value instruments;

• its valuation policy (especially for ICO Tokens, pre-ICO Tokens or other illiquid or hard-to-value instruments);

• the custody arrangement for the fund assets, including the policy on the allocation of assets to be kept at different host locations, such as exchanges, custodians, hot storage, cold storage;

• its use of leverage and derivatives;

• the fund’s targeted risk and return per annum;

• key risks (as described in “Information for clients” below); and

• the fund’s auditors and audited financial statements, including whether the fund has received a qualified audit opinion in the past, and whether the audited statements are up to date.

The SFC expects a licensed distributor to perform the following due diligence on the fund’s counterparties that covers:

• their legal and regulatory status (e.g. whether they are regulated by any authorities to undertake custody business or trade in cryptocurrencies);

• their experience and track record in dealing in cryptocurrencies;

• the robustness of their IT systems (including cybersecurity risk management measures) and contingency plans; and

• their financial soundness and insurance coverage, e.g. whether they have insurance covering loss of customer assets.

4. Provision of information to clients

To assist clients in making informed investment decisions, licensed distributors are required to provide prominent warning statements covering certain risks including (among others):

• the continuing evolution of virtual assets and how this may be affected by global regulatory developments;

• price volatility;

• potential price manipulation on exchanges or trading platforms;

• lack of secondary markets for certain virtual assets;

• that most exchanges, trading platforms and custodians of virtual assets are currently unregulated;

• counterparty risk when effecting transactions with issuers, private buyers/sellers or through exchanges or trading platforms;

• the risk of loss of virtual assets, especially if held in “hot wallets”;[52] and

• cybersecurity and technology-related risks.

For licensed fund managers which both manage funds investing in virtual assets and distribute those funds, the requirements should not prove problematic, particularly where they provide custody for the virtual assets. The requirements are likely to be much more problematic for Type 1-licensed fund distributors where the extent of due diligence they will be required to perform on third party funds, their fund managers and custody arrangements may not be practical.

• The Standard. 21 April 2020. “HK first approved crypto fund eyes US$100 million”. Available at: https://www.thestandard.com.hk/section-news/section/2/218298/HK-first-approved-crypto-fund-eyes-US$100m
• SFC. Circular to intermediaries: Distribution of virtual asset funds. 1 November 2018. Available at: https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=18EC77
• The additional requirements will not apply to funds authorised by the SFC for retail distribution.
• A “hot wallet” refers to a wallet used for holding virtual assets in an online environment which provides an interface with the internet, which is more susceptible to cyber-attacks.

2.3 Regulation of Virtual Asset Exchange/Platform Operators

The SFC’s approach to the regulation of operators of crypto exchanges/ trading platforms is set out in its November 2019 Position paper: Regulation of virtual asset trading platforms.[53] According to that paper, the SFC will regulate trading platforms operating in Hong Kong only if they trade at least one cryptocurrency which is a security. Since the vast majority of cryptocurrencies are not securities, crypto exchanges which only trade cryptocurrencies that are not securities or futures contracts are not currently regulated. Indeed, the precondition that an exchange must trade at least one cryptocurrency which is a security (i.e., a security token) makes most ineligible for licensing even if they want to be licensed. More fundamentally, the SFC licensing framework applies only to centralised exchanges and not to decentralised exchanges on which investors trade on a peer-to-peer basis.

To date, the SFC has only licensed one crypto exchange. The SFC issued the first virtual asset trading platform licence on 16 December 2020 to OSL Digital Securities, a platform which will only provide services to professional investors which is one of the licensing conditions. The platform will be subject to the SFC’s “close supervision” and the Terms and Conditions for Virtual Asset Trading Platform Operators.

(a) Licensing Conditions for Hong Kong Crypto Exchanges

The SFC will impose the following licensing conditions on crypto exchange operators (Licensees):

• services may only be provided to professional investors;

• the Licensee must comply with “Terms and Conditions for Virtual Asset Trading Platform Operators” (the Terms and Conditions);

• the SFC’s prior written approval will be required for offering a new service or activity, or making a material change to an existing service or activity;

• prior written approval of the SFC must be obtained for any plan or proposal to add a product to a Licensee’s trading platform;

• the Licensee must provide the SFC with monthly reports on its business activities in the format prescribed by the SFC; and

• the Licensee must engage an independent professional firm to conduct an annual review of its activities and prepare a report confirming compliance with the licensing conditions and all relevant legal and regulatory requirements.

As noted in paragraph (b), it is a licensing condition that the licensed platform operator must comply with the Terms and Conditions for Virtual Asset Trading Platform Operators [54] which focus on the platform’s operations. A breach of any of the licensing conditions will constitute ‘misconduct’ under Part IX of the SFO and may also reflect adversely on the fitness and properness of the platform operator to remain licensed.

The terms and conditions which a licensed crypto exchange operator must satisfy relate firstly to providing safe custody of cryptocurrencies. The SFC expects a Licensee to adopt an appropriate operational structure and use technology to protect its clients equivalent to those required of traditional financial institutions in the securities sector.

1. Trust structure

Licensed platform operators must hold client assets on trust to enhance safekeeping of client cryptocurrencies and ensure that they are properly segregated from those of the platform operator. Any material legal uncertainties, particularly as to the nature of any legal claims they may have over cryptocurrencies traded by them on the platform, must be disclosed in full to clients.

The SFC mandates that client assets must be held through a company which is incorporated in Hong Kong which is a wholly-owned subsidiary of the licensed platform operator and holds a trust or company service provider licence under the AMLO.

There is uncertainty as to whether cryptocurrencies constitute ‘property’ under Hong Kong Law, which may affect a client’s rights in insolvency proceedings. Notwithstanding this, the SFC has said that this should not preclude the implementation of an interim regulatory regime.

2. Hot and cold wallet storage

The SFC requires the segregation of customers’ virtual assets. Licensed platform operators must store 98% of client cryptocurrencies in “cold wallets” (i.e. where private keys are kept offline) and limit their holdings of client virtual assets in “hot wallets” (i.e. where private keys are kept online rendering them vulnerable to external threats) to no more than 2%. Licensed platform operators must also minimise transactions out of the cold wallet in which a majority of client cryptocurrencies are held.

Platform operators are also required to have adequate processes in place for handling requests for deposits and withdrawals of client cryptocurrencies to guard against loss arising from theft, fraud and other dishonest acts, professional misconduct or omissions. The platform operator and its subsidiary holding the clients’ cryptocurrencies must also set out in writing details of the mechanism for transferring cryptocurrencies between hot, cold and other storage and the procedures for dealing with events such as hard forks and air drops from an operational and technical perspective,

3. Insurance

Licensed platform operators must have an insurance policy covering the risks associated with the custody of cryptocurrencies held in both hot storage (full coverage) and cold storage (a substantial coverage) which is in effect at all times.

4. Private key management

The SFC expects a licensed platform operator to set up and implement strong internal controls and governance procedures for private key management to ensure all cryptographic seeds and keys are securely generated, stored and backed up.

SFC KYC Requirements for Crypto Exchanges

The SFC requires licensed platform operators to take all reasonable steps to establish the true and full identity of each of its clients, and of each client’s financial situation, investment experience and investment objectives. Except for institutional and qualified corporate professional investors (as defined in the SFC Code of Conduct), before providing any services to the client, a platform operator must ensure that the client has sufficient knowledge of cryptocurrencies, including knowledge of the relevant risks associated with them. Where a client does not have that knowledge, services can only be provided to the client if the platform operator provides training to the client and enquires into the client’s personal circumstances.

Concentration risks are also required to be assessed by setting a trading limit, position limit, or both by reference to the client’s financial situation to ensure that the client has sufficient net worth to assume the risks and bear any potential trading losses.

Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF) Requirements

Licensed platform operators are required to establish and implement adequate and appropriate AML/CTF policies, procedures and controls (AML/CTF Systems) to counter the money laundering and terrorist financing risks associated with cryptocurrencies’ anonymity. Platform operators must also regularly review the effectiveness of their AML/CTF Systems and effect appropriate enhancements, taking into account any new SFC guidance and updates of the FATF Recommendations applicable to cryptocurrency-related activities including Recommendation 15 and its related interpretive note. Cryptocurrency tracking tools can also be used to trace transaction histories against a database of known addresses connected to criminal activities.

Prevention of Market Manipulation and Abusive Activities

Licensed platform operators are required to establish and implement written policies and controls for the proper surveillance of activities on its platform in order to identify, prevent and report any market manipulative or abusive trading activities. They must also adopt an effective market surveillance system and provide the SFC access to this system to perform its own surveillance. Policies should be established for the proper surveillance of platform activities to identify, prevent and report market manipulative or abusive trading practices or activities.

Accounting and Auditing Requirements

Licensed platform operators are required to exercise due skill, care and diligence in selecting and appointing their auditors.

Risk Management and Conflict of Interest Identification

Licensed trading platforms are required to have a risk management framework which enables them to identify, measure, monitor and manage the full range of risks arising from their businesses and operations. Clients should pre-fund their own accounts, as licensed platforms are prohibited from providing any financial accommodation for clients to acquire cryptocurrencies.

Licensed platforms are prohibited from engaging in proprietary trading or market-making activities on a proprietary basis. If a platform plans to use market-making services to enhance liquidity in its market, this must be done at arm’s length and be provided by an independent external party using normal user access channels. A licensed platform operator must also have a policy governing employees’ dealing in cryptocurrencies to eliminate, avoid, manage or disclose actual or potential conflicts of interests.

Cryptocurrencies for Trading

Licensed platform operators are prohibited from offering or trading cryptocurrencies that are crypto futures contracts or crypto derivatives.

Licensed platform operators need to set up a function responsible for establishing, implementing and enforcing the rules setting out the obligations of, and restrictions on, issuers of cryptocurrencies, and the criteria for a cryptocurrency to be included on and/or withdrawn from its platform.

The platform operator is also obliged to conduct reasonable due diligence prior to including a cryptocurrency on its platform and must ensure that the cryptocurrencies traded on its platform continue to satisfy all of the application criteria. Matters which must be considered include:

• the background of the management or development team of the issuer of the cryptocurrency;

• the regulatory status of the cryptocurrency in each jurisdiction in which the platform operator provides trading services which includes whether the cryptocurrency can be traded under the SFO;

• the supply, demand, maturity and liquidity of the cryptocurrency, its market capitalisation, average daily trading volumes, whether other platform operators trade the cryptocurrency in question, the availability of trading pairs and the jurisdictions where the cryptocurrency has been offered;

• the marketing materials of the cryptocurrency which must not be misleading;

• the development and outcomes of any projects associated with a cryptocurrency should be included in the Whitepaper together with the major incidents associated with its history and development; and

• in relation to cryptocurrencies which are “securities” under the SFO, the licensed platform operator should only include those that are: (i) asset-backed; (ii) approved by or registered with regulators in comparable jurisdictions (as agreed by the SFC from time to time); and (iii) have a track record of 12 months or more since issue.

The operator of a virtual asset trading platform will typically be licensed by the SFC for Regulated Activities Type 1 (dealing in securities) and Type 7 (providing automated trading services). Once licensed, a platform operator will be required to comply with all relevant regulatory requirements in relation to all its business (i.e. in relation cryptocurrencies that are securities and those that are not). The SFC also requires that all virtual asset trading activities conducted by the platform operator and its group companies which are actively marketed to Hong Kong investors or are conducted in Hong Kong are carried out by a single legal entity licensed by the SFC. This includes all virtual assets trading activities on and off the platform and activities incidental to the trading activities.

• SFC. “Position Paper: Regulation of virtual asset trading platforms”. 6 November 2019.
• SFC. Terms and Conditions for Virtual Asset Trading Platform Operators. Available at: https://apps.sfc.hk/publicreg/Terms-and-Conditions-for-VATP_10Dec20.pdf

3. FSTB PROPOSALS FOR A NEW LICENSING REGIME FOR VIRTUAL ASSET EXCHANGES UNDER THE AMLO

In response to three-month consultation period from November 2020, on 21 May 2021, the FSTB published its Consultation Conclusions proposing a new licensing regime for virtual asset exchanges under the AMLO, which will require any person seeking to operate a virtual asset exchange in Hong Kong to apply for a license from the SFC as a licensed VASP under the AMLO (for carrying out “regulated virtual assets activity”), even if the exchange only trades non-securities virtual assets.

The proposed regime seeks to implement the FATF requirements for jurisdictions to regulate VASPs for AML/CFT purposes and supervise their compliance, a requirement introduced in February 2019 with the revision of FATF’s standards. The application of the proposed regime will however be much narrower than the FATF’s definition of VASPs, which also covers businesses involved in transferring or exchanging virtual assets, providing safekeeping and/or administrative services of virtual assets or instruments enabling control over virtual assets (including certain wallet providers) or providing financial services related to the offer or sale of virtual assets (e.g., ICOs). This is because the FSTB considers that activities of virtual asset exchanges to be the most prevalent and developed embodiment seen in Hong Kong covering the types of activities intended for regulation by the FATF whilst other FATF-regualated activities are scanty and negligible in Hong Kong at present, and their fund movements are traceable for AML/CTF purposes. Therefore, the current approach to regulate on virtual asset exchanges is tailored to the needs of the Hong Kong landscape, but the FSTB noted that it would monitor developments and the need to expand the regime at a later date. If the new licensing regime takes effect, virtual asset exchanges will have 180 days to obtain a VASP license.

3.1 Scope of Regulated Activity of Operating a Virtual Asset Exchange

Definition of a Virtual Asset Exchange

A virtual asset exchange will be defined as any trading platform which is operated for the purpose of allowing an offer or invitation to be made to buy or sell any virtual asset in exchange for any money or any virtual asset (whether of the same or a different type) and which comes into custody, control, power or possession of, or over, any money or any virtual asset at any point in time during its course of business.

This definition will require centralized virtual asset exchanges to be licensed, however, peer-to-peer trading platforms which only provide a forum for buyers and sellers of virtual assets to post their bids are excluded from the definition, provided that the actual transaction is conducted outside the platform and the platform is not involved in the underlying transaction by coming into possession of any money or any virtual asset at any point in time. As a result, decentralized virtual asset exchanges still fall outside the scope of the licensing regime.

Definition of Virtual Assets

The definition of a virtual asset in the proposals will be largely in line with that of FATF, which defines virtual asset as digital representations of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. The definition of a virtual asset under the proposed AMLO will include a digital representation of value that:

• is expressed as a unit of account or a store of economic value;
• functions (or is intended to function) as a medium of exchange accepted by the public as payment for goods or services or for the discharge of a debt, or for investment purposes; and
• can be transferred, stored or traded electronically.

The definition will therefore cover non-securities virtual assets, such as Bitcoin and Etherem, as well as virtual coins that are stable (such as stablecoins) or not and irrespective of the purported form of underlying assets. However, digital representations of fiat currencies including digital currencies issued by central banks (CBDCs), financial assets already regulated under the SFO, stored value facilities which are separately regulated under the Payment Systems and Store Value Facilities Ordinance (Cap. 573), non-transferable, non-exchangeable and non-fungible closed-loop, limited purpose items (such as air miles, credit card rewards, gift cards, customer loyalty programmes and gaming coins) will be excluded from the definition of virtual assets.

Owing to the rapidly changing nature of crypto world, the FSTB highlighted the importance of flexibility in the proposed regime. To that end, the SFC will be given the power to interpret characteristics that constitute the definition of a virtual asset. In addition, the Secretary for Financial Services and the Treasury will also be entitled to determine whether any digital representation of value is to be considered as a virtual asset or not.

3.2 Virtual Asset Exchange Licensing Requirements

The FSTB, following the consultation process of the AMLO amendment bill, proposes that both locally incorporated companies with a permanent place of business in Hong Kong and foreign incorporated companies but registered in Hong Kong under the Companies Ordinance will be eligible to apply for a VASP license in Hong Kong. However, natural persons or business establishments without a legal personality such as sole traders or partnerships will not be ligible for a VASP license in Hong Kong.

The FSTB also proposes to prohibit any person who is not a licensed VASP from actively marketing, whether in Hong Kong or elsewhere, to the Hong Kong public a regulated virtual asset activity or a similar activity (services associated with a virtual asset exchange) performed outside Hong Kong.

Licensing applicants will have to appoint at least two responsible officers who will be generally responsible for ensuring the VASP’s compliance with AML/CTF requirements and other regulatory requirements. All executive officers of a VASP will be required to assume the role as responsible officers.

Licensing applicants, their responsible officers and ultimate owners will be required to satisfy a fit-and-proper test to be a candidate for VASP license in Hong Kong. The SFC will evaluate whether a person is fit and proper based on the following criteria:

• whether the person has been convicted in Hong Kong or other jurisdictions of a ML/TF offence, or another offence in which he was found to have acted fraudulently, corruptly or dishonestly;
• whether the person has failed or may fail to comply with the AML/CFT or other regulatory requirements governing licensed VASPs;
• the experience and relevant qualification of the person; and
• whether the person is of a good standing and financial integrity

3.3 Obligations of Licensed Virtual Asset Exchanges

A licensed VASP will be required to comply with AML/CTF requirements, including customer due diligence and record-keeping requirements stipulated in Schedule 2 of the AMLO, as well as other regulatory requirements for investor protection purposes.

Further, a licensed VASP could only offer services to professional investors, given that virtual assets industry is regarded as an emerging sector involving higher risks than conventional financial markets. They must also meet prescribed regulatory requirements including, inter alia:

• minimum paid-up share capital requirement and for certain businesses liquid asset requirement (to be determined by the FSTB);
• having proper corporate governance structure staffed by personnel with sufficient experience and expertise;
• ensuring prudence and soundness of business, and the non-interference of client and public interests;
• formulation and implementation of risk management policies and procedures for addressing ML/TF, cyber security or other risk;
• proper segregation and management of client assets, including effective policies and procedures for their proper management and custody;
• implementation and enforcement of robust listing and trading rules for virtual assets as well as performance of all reasonable due diligence on virtual assets prior to listing;
• compliance with financial reporting and disclosure requirements;
• prevention of market manipulative and abusive activities through implementing policies and controls for the proper surveillance of virtual asset exchange activities;
• impose rigorous criteria for the inclusion of virtual assets to be traded on its platform; and
• avoidance of conflicts of interest.

3.4 Proposed SFC Powers in Respect of Licensed Virtual Asset Exchanges

The SFC will be empowered to supervise the AML/CFT conduct of licensed virtual asset exchanges and to monitor, investigate and enforce their other obligations under the AMLO licensing regime. The SFC will also be given certain powers in relation to entering and inspecting premises and documents in order to investigate instances of non-compliance and will be empowered to impose administrative sanctions (including suspending or revoking a licence). Additionally, the SFC will also be provided with intervention powers to impose restrictions and prohibitions on the operations of a licensed exchange and its associated entities in certain circumstances, for example where it is necessary to protect client assets.

The FSTB also propose to amend Part 6 of the AMLO in order to expand the scope of reviewable decisions of the AML/CFT Review Tribunal to cover appeals against future decisions made by the SFC in relation to implementing the VASP licensing and supervisory regime.

4. MANAGING MONEY LAUNDERING AND TERRORIST FINANCING RISKS ASSOCIATED WITH VIRTUAL ASSETS

The existing AMLO is only applicable to financial institutions and designated non-financial businesses and professions (DNFBP), including entities that are licensed or registered by the SFC to carry out regulated activities. Under the new regime, licensed virtual asset exchanges are also required to comply with AML/CTF obligations under the AMLO. The HKMA and the SFC have reminded regulated bodies of the need to comply with latest recommendations issued by the FATF.

In response to the FATF’s Revised Recommendations, the HKMA published a notice on 16 December 2019 [55] (HKMA FATF Notice). The purpose of the HKMA FATF Notice was to provide guidance to authorised financial institutions in relation to the revised FATF Recommendations.

The HKMA FATF Notice reminded authorised institutions that when they establish and maintain business relations with VASPs, appropriate risk assessments should be carried out to differentiate the risks of each VASP, recognising that there is no ‘one size fits all’ approach. The approach that may be adopted by authorised institutions will depend on the nature of the relationship between the authorised institution and the VASP. Authorised institutions must generally undertake additional customer due-diligence measures, which includes the collection of sufficient information to adequately understand the nature of the VASPs business, determining from publicly available information whether or not the VASP is licensed or registered and subject to AML/CTF supervision, and assessing the AML/CTF controls of the VASP as appropriate. The HKMA FATF Notice explains that the extent of the customer due-diligence measures employed by the authorised institution should be commensurate with the assessed money laundering/terrorist financing risks of the VASP.

Before introducing new banking or investment products related to virtual assets, authorised institutions should also undertake money laundering / terrorist financing risks assessments, take appropriate measures to manage and mitigate the identified risks in accordance with the applicable legal and regulatory requirements which includes the requirements set out in the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism.

• HKMA notice on Managing ML/TF risks associated with virtual assets (VAs) and virtual asset service providers. Available at:https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2019/20191216e2.pdf