Background

February was an important month in Hong Kong’s journey towards regulating the digital asset ecosystem and positioning itself as a leading innovation hub.  

On 20 February 2024, the Hong Kong Monetary Authority (HKMA) published comprehensive guidance on the provision of digital asset custody services (Custodial Services Circular) and the sale and distribution of tokenised products (Tokenised Products Circular) by authorised institutions in Hong Kong (AIs).  Together, these two circulars set out the supervisory standards expected of AIs when engaging in custody and dealing activities in relation to digital assets.  Importantly, AIs already engaged in digital asset custodial activities are expected to meet these standards in addition to other applicable legal and regulatory requirements.1  The key takeaways of each circular are summarised below.

Custodial Services Circular

Coverage

The Custodial Services Circular outlines the expected standards and requirements applicable to: (a) AIs; and (b) subsidiaries of locally incorporated AIs that provide digital asset custodial services to clients, whether the assets are received in the course of:

  • conducting virtual asset2(VA)-related activities as an intermediary3;
  • distributing tokenised products; or
  • providing standalone custodial services.

This circular applies to “digital assets”4 held on behalf of clients (client digital assets), including VAs, tokenised securities and other tokenised assets.5 It does not apply to custody of limited purpose digital tokens,6 or proprietary assets of an AI (or its group companies) not held on behalf of clients.

The Custodial Services Circular contains various principles-based governance and custodial standards, structured as follows:

(A) governance and risk management;

(B) segregation of client digital assets;

(C) safeguarding of client digital assets;

(D) delegation and outsourcing;

(E) disclosure;

(F) record keeping and reconciliation of client digital assets;

(G) anti-money laundering and counter-financing of terrorism; and

(H) ongoing monitoring.

These principles-based standards provide some flexibility for AIs to implement arrangements commensurate with the nature, features and risks of the digital assets under custody.  Read on for a more detailed summary of what this looks like in practice:

(A) Governance and risk management

AIs should:

  • Prior to launching custodial services for digital assets, undertake comprehensive risk assessment of its digital asset custodial services, and establish appropriate policies, procedures and controls to manage and mitigate such risks.
  • Ensure the board and senior management oversee the risk management process so that such risks are identified, assessed and managed before engaging in custodial activities and on an ongoing basis.
  • Allocate adequate resources for custodial activities to ensure proper governance, operations, and effective risk management measures.
  • Ensure senior management and staff engaged in the AI’s custodial activities possess the necessary knowledge, skills and expertise to discharge their responsibilities, and offer adequate training to the relevant personnel.
  • Implement appropriate accountability arrangements and conflict of interest policies, effective contingency and disaster recovery arrangements.

(B) Segregation of client digital assets

AIs should:

  • Hold client digital assets in separate client accounts segregated from the AI’s own assets to protect them from the AI’s creditors in the event of insolvency.
  • Refrain from transferring, or otherwise lending, pledging, re-pledging or creating any encumbrance over, any right, interest, ownership, legal and/or beneficial title in client digital assets, except: (i) for the settlement of transactions and/or fees and amounts owed by the client to the AI; (ii) with prior written consent from the client; or (iii) as required by law.
  • Implement adequate measures to prevent the unauthorized use of client digital assets.

(C) Safeguarding of client digital assets

AIs should:

  • Adopt a risk-based approach to developing systems and controls to safeguard client digital assets, taking into consideration the nature, features and risks of the client digital assets. 
  • Put in place adequate systems and controls7 to ensure that client digital assets are promptly and properly accounted and safeguarded against theft, fraud, negligence, misappropriation and any delay in access to or inaccessibility of client digital assets.
  • Where an AI holds client VAs, employ the measures in paragraph 118 of the appendix to the Custodial Services Circular, whereas for other digital assets, adopt a risk-based approach in the implementation of the same.
  • Closely monitor trends and developments in security threats, vulnerabilities, attack and fraud risks and technological solutions.
  • Where applicable, establish effective client authentication and notification controls for any user interface or portal for clients.

(D) Delegation and outsourcing

  • For VAs, an AI may only delegate or outsource custody function to another AI (or a subsidiary of a locally incorporated AI) or an SFC-licensed VA trading platform9.
  • For digital assets other than VAs, if they are in the form of permissionless tokens on a public-permissionless distributed ledger technology (DLT) network, the AI should exercise extra caution and critically assess whether to delegate or outsource the AI’s custody function.
  • Before delegating custodial services, the AI should perform adequate due diligence (documented in writing) to assess and be satisfied with, among others, the delegate or service provider’s financial soundness, reputation, managerial skills, technical and operational capability, resilience capabilities, contingency and disaster recovery arrangements, and capacity to comply with the expected standards in the Custodial Services Circular and other applicable requirements.
  • An AI should maintain effective ongoing monitoring of the delegate or service provider’s performance.
  • The ultimate responsibility and accountability for any delegated or outsourced activity rests with the AI.

(E) Disclosure

AIs should provide full and fair disclosure of the custodial arrangements to clients in a clear and comprehensible manner, covering the following areas:

  • respective rights and obligations of the AI and its clients, including in the event of the AI’s insolvency or resolution;
  • details of the custodial arrangement, including how client digital assets are stored and segregated, the procedures and the time taken to deposit and withdraw client digital assets and the applicable fees and costs;
  • insurance / compensation arrangement to cover potential loss of client digital assets;
  • existence and risks of client digital assets commingled with assets of other clients;
  • circumstances and arrangements where the AI will take legal and/or beneficial title to the client digital assets, or otherwise transfer, lend, pledge, re-pledge or create any encumbrance over the client digital assets, and the risks involved;
  • treatment of client digital assets and respective rights and entitlements in events such as voting, hard forks and airdrops; and
  • existence and nature of any conflicts of interest associated with the AI’s digital asset custodial services.

(F) Record keeping and reconciliation of client digital assets

AIs should:

  • Maintain appropriate books and records for each client to track and record ownership of client digital assets, including the amount and the type of assets owed to the client and the movement of those assets to and from the client’s account.
  • Conduct regular and frequent reconciliation of client digital assets, taking into account both relevant off-chain and on-chain records, and escalate any discrepancies to senior management as appropriate in a timely manner.
  • Have appropriate systems and controls to retain and safeguard all records relevant to the AI’s custodial activities, and to provide such records to the HKMA in a timely manner upon request.

(G) Anti-money laundering and counter-financing of terrorism

AIs should:

  • Ensure effective AML/CFT systems are in place to manage and mitigate any money laundering and terrorist financing risks relating to the AI’s digital asset custodial activities.
  • Comply with the “Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Authorized Institutions)” and any other AML/CFT guidance issued by the HKMA on digital asset custodial activities.

(H) Ongoing monitoring

AIs should regularly review policies and procedures and conduct independent audit on systems and controls and compliance with the applicable requirements in relation to the custody of client digital assets.

Implementation

AIs and subsidiaries of locally incorporated AIs:

  • already engaged in digital asset custodial activities should notify the HKMA and confirm that they meet the expected standards set out in the Custodial Services Circular by 20 August 2024 (or 6 months from the date of such circular); and
  • intending to provide digital asset custodial services should discuss with the HKMA in advance and demonstrate that they meet the expected standards in the circular.

Tokenised Products Circular

AIs are expected to comply with the HKMA’s supervisory standards when selling and distributing tokenised products to clients (except where such products are regulated under the Securities and Futures Ordinance and governed by the HKMA’s and the SFC’s requirements).

General principle

As a general principle, the prevailing supervisory requirements and consumer/investor protection measures for the sale and distribution of traditional investment products also apply to its tokenised form as it has terms, features and risks (other than risks arising from tokenisation itself) similar to those of the underlying product.

Fundamentally, tokenised products are traditional investment products with a tokenisation wrapper and there could be situations where the nature, features and risks of such product may be altered by how it is structured and arranged in the tokenisation process.  Before selling a tokenised product, AIs should:

  • evaluate and understand the terms, features and risks of each tokenised product, and exercise professional judgment to ascertain the applicable legal and regulatory requirements; and
  • implement adequate systems and controls to comply with those requirements.

Along with the above general principle, AIs are expected to implement consumer/investor protection measures in relation to:

(A) due diligence;

(B) product and risk disclosure;

(C) risk management; and

(D) custodial services.

Read on for a more detailed summary of what this looks like in practice:

(A) Due diligence

AIs should:

  • Before offering the tokenised products to customers, conduct adequate due diligence and fully understand (and on an ongoing basis):
    • the terms, features and risks of the tokenised product, the underlying product and the tokenisation arrangement); and
    • the issuers of the tokenised product and their third-party vendors / service providers involved in the tokenisation arrangement to be satisfied that the relevant ownership and technology risks are managed.
  • Implement appropriate arrangements for technology audits (e.g. smart contract audits), proper systems and controls for the overall operation of the tokenised product (e.g. private key management and safeguards against hacking and cybersecurity risks, etc.), and effective contingency plans for DLT-related events (e.g. network failures, cyber-attacks, unauthorised transfer, and loss of private keys, etc.).
  • If an AI issues or is substantially involved in the issuance of a tokenised product, assess the features and risks of the tokenised product when selecting appropriate custodial arrangements.10

(B) Product and risk disclosure

AIs should act in the customers’ best interests and adequately disclose material information specific to the tokenised product and the tokenisation arrangement to clients in a clear and comprehensible manner, covering key terms, features and risks of the tokenised product, risks posed by the DLT networks utilized, limitations on transfers of the tokenised product, whether on-/off-chain settlement is final, whether a smart contract audit has been conducted prior to deployment, controls, contingency plans for system malfunction, DLT network failure and other unforeseen circumstances, etc.

(C) Risk Management

AIs should:

  • Implement proper policies, procedures, systems and controls for identifying and mitigating risks arising from tokenised product-related activities (e.g. complaints handling, compliance, internal audit and business contingency planning, etc.).
  • Allocate resources to ensure that the AI’s management and staff have the necessary expertise to carry out selling and distribution-related activities.

(D) Custodial services

AIs that are also providing custodial services of tokenised products are expected to meet the standards set out in the Custodial Services Circular (as summarised above).

Prior consultation with the HKMA

AIs should discuss with the HKMA in advance if they intend to engage in activities related to tokenised products.

Conclusion

The Custodial Services Circular and Tokenised Products Circular demonstrate the HKMA’s continued willingness to keep pace with the rapidly evolving digital asset sector in Hong Kong, subject to the appropriate safeguards from a consumer/investor protection perspective. The regulatory clarity gained from these two circulars should give AIs the confidence to bring more digital asset products and/or services to the market, whereas the protections set out in the circulars should give potential customers the comfort required to invest in or use these products and/or services.


1. AIs or the relevant locally incorporated AIs (with subsidiaries already engaging in such activities) should notify the HKMA and confirm that they meet the expected standards in the Annex within six months from the date of the Custodial Services Circular Scope.

2. As defined in section 53ZRA of Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) (AMLO).

3. Please refer to the “Joint Circular on intermediaries’ virtual asset-related activities” issued by the HKMA and the Securities Futures Commission (the SFC) last updated on 22 December 2023, as summarised in our blog.

4. Defined broadly as “assets that depend primarily on cryptography and distributed ledger or similar technology”.

5. “Tokenised securities” and “other tokenised assets” refers to digital representations of “securities” as defined in the Securities and Futures Ordinance (Cap. 571) (SFO) and other real-world assets respectively, using distributed ledger or similar technology to record ownership.

6. As defined in section 53ZR of the AMLO.

7. These systems and controls include, among others, written policies and procedures for authorising and validating access to effecting deposit, withdrawal and transfer of client digital assets, including the access to the devices storing seeds and private keys and managing and safeguarding seeds and private keys of client digital assets (including key generation, distribution, storage, use, destruction and back up).

8. These include: (a) generating and storing seeds and private keys (including backups) in secure and tamper-resistant environment / devices (such as hardware security module or HSM); (b) generating, storing and backing up seeds and private keys in HK; (c) restricting access to cryptographic devices or applications on a need-to-know basis to authorized personnel with appropriate screening and training, etc.

9. Note that client assets will need to be held by a wholly-owned subsidiary of the licensed VA trading platform that holds a trust or company service provider licence and meets other applicable requirements.

10.Where permissionless tokens on public permissionless DLT networks are used, AIs should consider additional factors when selecting appropriate custodial arrangements.