On 15 August 2025, the Hong Kong Securities and Futures Commission (HK SFC) issued its Circular to licensed virtual asset trading platform operators on custody of virtual assets. The circular sets minimum custody standards under the Hong Kong Securities and Futures Ordinance (Cap. 571) for all licensed virtual asset trading platforms (VATPs). It follows recent overseas incidents of compromised wallet solutions and aligns with Initiative 3 of Pillar “Safeguard” in the HK SFC’s ASPIRe Roadmap. The Circular established that client asset protection requires robust cold wallet governance, enhanced transaction verification, and 24/7 threat monitoring. These requirements now form mandatory obligations for licensed VATPs and will extend to providers of virtual asset custodian services once the legislative framework, as outlined in the Public Consultation on Legislative Proposal to Regulate Virtual Asset Custodian Services jointly issued by the Financial Services and the Treasury Bureau (FSTB) and the HK SFC, is implemented.
Definitions under the Hong Kong Custody Framework
- Virtual Asset Trading Platform (VATP): A trading platform licensed under the Hong Kong Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) and the Hong Kong Securities and Futures Ordinance (Cap. 571).
- Virtual Asset Custodian Services: Defined in the Public Consultation on Legislative Proposal to Regulate Virtual Asset Custodian Services as the safekeeping of client virtual assets or instruments enabling their transfer (including private keys).
- ASPIRe Roadmap: The HK SFC’s 2025 regulatory framework structured around Access, Safeguards, Products, Infrastructure, and Relationships.
Senior Management Responsibilities under the Circular on Hong Kong VATPs
The circular requires each VATP to designate a Responsible Officer or Manager-in-Charge to oversee custody functions. In line with the Guidelines for Virtual Asset Trading Platform Operators, senior management must ensure effective internal controls, governance, and accountability for cold wallet security, private key management, and compliance with custody obligations.
Client Cold Wallet Infrastructure and Operations obligations on Hong Kong VATPs
Under the circular, cryptographic seeds and private keys must be generated offline, stored in certified hardware security modules, and backed up securely. Cold wallets should avoid smart contract reliance on public blockchains. VATPs must enforce whitelists for withdrawal addresses, apply multiple independent verification checks, and ensure signing devices are air-gapped, isolated, and dedicated solely to custody functions.
Use of Third-Party Wallet Solutions and Outsourcing Controls by Hong Kong VATPs
The HK SFC mandates strict due diligence on third-party wallet solution providers. VATPs must implement independent code reviews, supply chain management, audit trails, and segregation of duties. Ongoing provider assessments, including disaster recovery tests and cybersecurity audits, are compulsory. The circular requires monitoring of any outsourced infrastructure to ensure compliance with the Guidelines for Virtual Asset Trading Platform Operators.
Ongoing Real-Time Monitoring Requirements on Hong Kong VATPs
Licensed platforms must establish a Security Operations Centre or equivalent function with 24/7 monitoring. Custody systems must reconcile on-chain client assets with internal ledgers in real time. Escalation protocols require immediate senior management involvement upon anomalies. Monitoring must cover dependencies including blockchain protocols, encryption algorithms, and vendor systems, with alerts calibrated to capture vulnerabilities.
Training and Awareness Obligations on Hong Kong VATPs
The circular reinforces requirements under the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission. VATPs must ensure ongoing training for staff, particularly transaction signers, to prevent blind signing and mitigate insider threats. Firms are expected to conduct phishing simulations and transaction validation exercises to strengthen awareness and compliance.
Legislative Context
The custody requirements align with the Public Consultation on Legislative Proposal to Regulate Virtual Asset Custodian Services (July 2025), which proposes a statutory licensing regime for custodian service providers under the Hong Kong Securities and Futures Ordinance (Cap. 571) and the Hong Kong Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615). Under the proposal, only entities licensed or registered with the HK SFC will be permitted to provide virtual asset custodian services in Hong Kong.
The HK SFC’s Circular on custody of virtual assets establishes immediate baseline obligations for VATPs and signals the forthcoming regulatory framework for dedicated custodians. These measures, are grounded in ASPIRe Roadmap and are reinforced by the parallel legislative consultation which is ongoing.
(Source: https://apps.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/doc?refNo=25PR124)
