On 16 January 2025, the Hong Kong Securities and Futures Commission (SFC) announced new regulatory standards for Virtual Asset Trading Platforms (VATPs). These measures, detailed in an official circular and appendices (Appendix 1 and Appendix 2), were introduced following inspections of VATP applicants under the deemed licensing framework. The aim is to enhance the security, compliance, and operational integrity of platforms operating in Hong Kong.
The HK SFC conducted comprehensive reviews focusing on cybersecurity, safeguarding client assets, and Know-Your-Client (KYC) practices. Findings revealed areas of non-compliance among certain platforms, prompting the issuance of detailed guidelines to ensure robust system management, adherence to legal obligations, and improved client protection.
These standards, outlined in Appendix 1 of a newly issued circular, target operational areas including cybersecurity, asset protection, and Know-Your-Client (KYC) compliance.
The HK SFC identified deficiencies in VATP cybersecurity, with issues such as inadequate network segmentation, outdated encryption algorithms, and weak access controls. To counter these risks, the HK SFC mandates advanced network segregation techniques, holistic privileged access management frameworks, and real-time monitoring through 24/7 security operations centres. Strong encryption must now secure all data storage and transmission, replacing vulnerable methods observed during inspections. Automated systems to detect unauthorised access to client accounts are also required to safeguard against hacking and fraud.
The protection of client assets was another area of focus for HKSFC. The HK SFC elaborated on the failures in segregating client funds from operational assets, improper wallet management, and breaches of the mandated “98/2 cold-to-hot wallet ratio.” Platforms must now store 98% of client assets in cold wallets, implement wallet address whitelisting, and secure private keys in certified environments within Hong Kong. Strict protocols for large withdrawals and deposits are required to minimise exposure to cyber threats and operational errors.
The HK SFC now requires VATPs to establish detailed recovery plans and ensure restoration of custody systems within 12 hours of a disruption. Platforms must also maintain fully functional backup facilities with equivalent security standards to primary sites and conduct regular tests to validate their recovery strategies.
The HK SFC also highlighted deficiencies in client access monitoring and control. Several platforms were found to allow unauthorised access from restricted jurisdictions or lacked adequate geolocation tools to block such activities. VATPs must now implement advanced geolocation systems, regularly evaluate monitoring tools, and document their compliance efforts to ensure that only authorised users access their services.
Insurance and compensation arrangements for client assets were scrutinised, with platforms required to maintain policies that cover 50% of assets in cold wallets and 100% in hot wallets. Operators must evaluate these policies for adequacy, including reviewing exclusions and deductibles, to guarantee client protection in cases of loss or fraud.
the HK SFC identified lapses in financial management, including delays in transferring client deposits to segregated accounts and weak controls over bank account operations. VATPs are now required to ensure that client funds are directly deposited into segregated accounts and to implement stringent dual signatory arrangements for bank transactions to minimise fraud risks.
Under the new standards, VATPs must implement stringent cybersecurity measures, including secure network segmentation, privileged access management, and encryption protocols. Platforms are required to monitor systems in real time and maintain continuous security operations to promptly address potential threats. Enhanced controls over client assets are mandated, such as segregation of funds, compliance with a 98/2 cold-to-hot wallet storage ratio, and stricter oversight of private key access.
VATPs must also establish rigorous KYC procedures and geolocation tools to prevent unauthorised access, particularly from restricted jurisdictions.
These enhanced standards take effect immediately, requiring platforms to act without delay. Although the HK SFC has not set a specific compliance deadline, the directive highlights the urgency of aligning practices with the prescribed regulations to avoid penalties or operational risks.
(Source: https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=25EC3)
